fix(ci): import public key for checksig and force dist tag override

Import the GPG public key into rpm's keyring so rpm --checksig can
verify signatures. Also use --undefine dist before --define to ensure
the CLI value overrides the system macro on the build host.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

script/publish-repo.sh

@@ -5,6 +5,9 @@ RPM_DIR="${1:?usage: $0 <rpm-directory>}"
 : "${FEDORA_VERSION:?}"
 REMOTE_DIR="/var/www/rpm/fedora/${FEDORA_VERSION}/x86_64"
 
+# import the public key into rpm's keyring for verification
+gpg --export --armor "$(rpm --eval '%{_gpg_name}')" | rpm --import /dev/stdin
+
 # sign each rpm with the imported gpg key
 for rpm in "${RPM_DIR}"/*.rpm; do
     echo "signing ${rpm}..."