Don't enforce gpg-verify false when using collection id

With the new sideload approach to collection ids it is fine to require
gpg signed summaries. (Not for the child repos or the sideload repos
though, but thoser are either trusted (sideload) or safe for other
reasons like ref-bindings and signed commits).

common/flatpak-dir.c

@@ -12801,18 +12801,6 @@ flatpak_dir_update_remote_configuration_for_state (FlatpakDir         *self,
                 {
                   has_changed = TRUE;
                   g_key_file_set_string (config, group, key, new_val);
-
-                  /* Special case for collection-id: if it’s set, gpg-verify-summary
-                   * must be set to false. The logic above ensures that the
-                   * collection-id is only set if we’re transitioning from an
-                   * unset to a set collection-ID. We *must not* allow the
-                   * collection ID to be changed from one set value to another
-                   * without the user manually verifying it; or a malicious
-                   * repository could assume the collection ID of another without
-                   * the user’s consent. */
-                  if (g_str_equal (key, "collection-id") &&
-                      new_val != NULL && *new_val != '\0')
-                    g_key_file_set_boolean (config, group, "gpg-verify-summary", FALSE);
                 }
             }
 

common/flatpak-utils.c

@@ -2876,7 +2876,7 @@ flatpak_parse_repofile (const char   *remote_name,
   /* If a collection ID is set, refs are verified from commit metadata rather
    * than the summary file. */
   g_key_file_set_boolean (config, group, "gpg-verify-summary",
-                          (gpg_key != NULL && collection_id == NULL));
+                          (gpg_key != NULL));
 
   authenticator_name = g_key_file_get_string (keyfile, FLATPAK_REPO_GROUP,
                                               FLATPAK_REPO_AUTHENTICATOR_NAME_KEY, NULL);