Add signature to get-pip.py

[szepeviktor]

See the security breach at PEAR https://twitter.com/pear/status/1086634389465956352

Composer uses two different source for signature and payload:

• https://composer.github.io/installer.sig
• https://getcomposer.org/installer

Please consider adding it.
Thank you!

[tomaszzielinski]

I second this--things like official Python Docker images [1] (and obviously all images that depend on them) use get-pip.py so any incident can have a huge impact.

[1] https://hub.docker.com/_/python

[pradyunsg]

If someone does the work to generate these automatically as a part of invoke generate, I'll be happy to merge that in.

[tomaszzielinski]

@pradyunsg Could you roughly describe what would need to be done here? I don't know much about get-pip..

One big question is how to verify pip itself--because if it's not verified then I think we would just shift the problem?