Check that all OpenPGP signatures are a single signature packet

[DemiMarie]

This is already implemented for the internal backend, but I am not sure if it is done by the Sequoia backend. For consistency, RPM should enforce this in all backends. The amount of code needed for this is very small.

I am willing to make a PR.

[nwalfield]

You're probably right that this is only a couple of lines of code. The check needs to be added to rpm-sequoia. The test case needs to be added to rpm. If you create a test case for rpm, I'll add the code to rpm-sequoia (or merge a PR).

[nwalfield]

There was some talk about supporting multiple signatures in issue #189 . So, I'd prefer an ack that this is correct behavior from @pmatilai before working on this.

[pmatilai]

I think @DemiMarie is referring to this: 5ff8676
I don't know whether Sequoia allows that in the first place or not.

Issue #189 is about supporting multiple independent signatures on a package, not related.

[nwalfield]

Looking at rpm-sequoia's code, it should reject multiple signatures. (A unit test would be good to confirm this and be useful for any future OpenPGP backend.)

[DemiMarie]

I think @DemiMarie is referring to this: 5ff8676
I don't know whether Sequoia allows that in the first place or not.

This is correct. I was actually going to suggest enforcing this somewhere in RPM’s C code, so that all backends behave consistently. In particular, any backend based on GnuPG would need such a check badly.

Looking at rpm-sequoia's code, it should reject multiple signatures. (A unit test would be good to confirm this and be useful for any future OpenPGP backend.)

I will look at that when I get the time.

[pmatilai]

What's considered rpm-level C code no longer knows about such packet level details, backends will need to deal with RFC compliancy on their own.