debian/watch: Download upstream source more securely

Use https instead of http for transport for transport-layer privacy
and integrity protection.  More importantly, specify pgpsigurlmangle
and a signing key to allow "uscan" to check that the tarball was
genuinely released by Lasse Collin.

Based on advice from Policy 4.11.

While we're here, use the XZ compressed tarball, since it's a little
3 files changed