Get signed metadata objects from URLs

TODO:

• Download message+sig from separate URLs
• Read message+sig from file(s), moved to separate issue in #35
• Verify message+sig for a given public key (blocked by #9 (closed))

(Thinking out loud:)

It might be nice to have an interface for the above. For example:

type Source interface {
    // nil error if msg and sig could be read and and verified; non-nil msg and sig but ErrSignature if just signature verification failed
    Get(ctx context.Context) (msg, sig []byte, err error)
}

where the Get method is expected to take care of HTTP requests or file reads as well as signature verification.

Edit: reworked the above into a Loader interface that also takes care of unmarshalling.