This adds an option `-p` or `--verify-program` to be able to override
`gpg` as used by default.
This is useful on Ubuntu 16.04 where `gpg` still gpg 1.x,
and it is desireable to use `gpg2` instead to be able to verify ECDSA
signatures and such.
- Allow comparing to a sepcific 'golden' manifest with `--compare-to`
- By default pick the first manifest to compare to, instead of always
comparing against the previous one, which is confusing
- Show line-by-line difference if `-v` given