kas: Repository replacement vulnerability via tag-based references

A security vulnerability in kas allows an attacker to replace a repository with a malicious one under specific conditions, potentially replacing the key used for signature validation.

Users of kas who include configuration files from repositories referenced by tag without commit ID, store signature keys as files in repositories without specifying a fingerprint, and do not set _source_dir.

Update to kas version 5.3 or later, and pin the expected signature key via its fingerprint.