2755: Verify permission signatures on create.
Phase 1 of #2755: when creating a new collection, verify any permission
signatures found in the manifest. Unsigned locators in the manifest are
implicitly permitted (to be disabled in Phase 4)
* Collections.create checks permission signatures in a manifest.
* Collections.show signs locators in a manifest.
* Unit test test_create_collection_with_signed_manifest exercises the
'create' and 'show' methods on a signed manifest.
* application.default.yml, application.yml.example: added configuration
variable Rails.configuration.permission_key.