Test publishing multitarballs with signatures

Verify that packages with multiple tarballs are handled correctly: their component tarballs should be published, as well as their signatures.

Before !55 (merged) is merged, the last step of test failed, as can be seen here: https://gitlab.collabora.com/obs/open-build-service/-/jobs/241352

For this, artificially extend the dash package with an empty component tarball called "vendor", with fake unverifiable signature files only containing the word "signature".

Instead of editing the .dsc file to include those, unpack the source package and generate it again, allowing dpkg-buildpackage to pick up the new component tarball.