force a sane umask when making temp gpg home dir

Someone reported:

gpg: WARNING: unsafe permissions on homedir `/var/folders/m6/zkd11n111m38ff37zbtgq0lr0000gp/T/git-annex-gpg.tmp.0'

Just a warning, but let's fix it anyway. Preumably the user has one of the
many insane and delightful umasks users sometimes use to shoot themselves
in their feet.

Assistant/Upgrade.hs

@@ -348,7 +348,7 @@ verifyDistributionSig :: FilePath -> IO Bool
 verifyDistributionSig sig = do
 	p <- readProgramFile
 	if isAbsolute p
-		then withTmpDir "git-annex-gpg.tmp" $ \gpgtmp -> do
+		then withUmask 0o0077 $ withTmpDir "git-annex-gpg.tmp" $ \gpgtmp -> do
 			let trustedkeys = takeDirectory p </> "trustedkeys.gpg"
 			boolSystem gpgcmd
 				[ Param "--no-default-keyring"