fix(ci): configure gpg for non-interactive RPM signing

Add %__gpg_sign_cmd macro to ~/.rpmmacros with --batch, --no-tty, and
--pinentry-mode loopback so rpm --addsign works without a TTY in CI.

Also add signing progress output and post-sign verification to
publish-repo.sh for easier debugging.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

script/publish-repo.sh

@@ -6,7 +6,9 @@ REMOTE_DIR="/var/www/rpm/fedora/43/x86_64"
 
 # sign each rpm with the imported gpg key
 for rpm in "${RPM_DIR}"/*.rpm; do
+    echo "signing ${rpm}..."
     rpm --addsign "${rpm}"
+    rpm --checksig "${rpm}"
 done
 
 install --directory --mode 700 ~/.ssh