* this introduces another layer of security, especially for when the
  signing key is fetched from a URL
* adapted from the suggestion made by Peter Brand
* abort if the fingerprint is defined and doesn't match the calculated
  value
* complain if no fingerprint is specified and the certificate is fetched
  from a URL (but keep quiet if it's a local file)