RPMTAG_OPENPGP returns legacy non-header signatures via "extension" code

[dralley]

Describe the bug

RPMTAG_OPENPGP is documented to return header-only signatures.

When used with the HEADERGET_EXT flag, the extension code for the handling of this tag returns legacy header + payload signatures in the mix.

The commit message suggests this was intentional (bea8f45), but it does not conform to the documented behavior of that tag. It makes usage challenging, because you cannot trust that these signatures can be verified against the header bytes range, and the behavior changes depending on whether RPMTAG_OPENPGP was actually present or not.

Querying multiple different tags should not be considered a problem when the usage of the return values is genuinely different.

To Reproduce
Steps to reproduce the behavior:

1. Take a package which contains V4 (RSAHEADER/DSAHEADER) and V3 signatures (SIGPGP/SIGGPG)
2. Call headerGet(RPMTAG_OPENPGP) with HEADERGET_EXT flags enabled
3. Observe that >1 signatures are present

Expected behavior

Fetching from the RPMTAG_OPENPGP should return only header-only signatures as documented - disincluding legacy signatures. SIGPGP / SIGGPG signatures should be ignored.

Environment

• OS / Distribution: F43
• Version: rpm 6.0.1

[dralley]

OK, so, this behavior is actually documented, just under the extensions section of tags.md. I suppose in that sense it can't be considered a bug.

However, it is kind of an annoying inconsistency.

It would have been nice if the EXT returned OPENPGP OR, if not present, RSAHEADER / DSAHEADER. That way with one tag you can get "the header signature(s)" whether V4 or V6, and the behavior is consistent between EXT and not-EXT, and still simplifies things.

But w/ the mixing w/ legacy signatures, which are not interesting to my case, I can't rely on this, because I have no idea which type of signature is which, so to actually use them I need to go back to the source and look at OPENPGP, RSAHEADER, and DSAHEADER.

[pmatilai]

It seems like a fair point, actually. I had only considered the purpose "give me all signatures in the package", mainly for the purposes of 'rpm -q --info' view, but to use it for actual verification, you'd need to know what is what.

I don't know what the resolution is going to be, but based on your feedback we need

• a way to get all signatures (existing behavior)
• a way to get all header-only signatures

And from that it seems that we should have the following too, even if only for consistency's / completeness sake:

• a way to get all header+payload signatures