tools: Avoid confusion between keys and signatures

We should be consistent in using the term 'signature' to describe a value
added to sign something and 'key' to describe the key that can be used to
verify the signature.

Tidy up the code to stick to this.

Add some comments to fit_config_verify_key() and its callers while we are
here.

Signed-off-by: Simon Glass <sjg@chromium.org>