Refactor PGP verification to use inheritance-based architecture

[Copilot]

Replaces PgpVerificationHelper static class with PgpVerifier abstract base class to provide cleaner inheritance hierarchy for PGP signature verification.

Architecture Changes

New PgpVerifier abstract base class (extends FileVerifier)

• Encapsulates GPG verification workflow and timestamp extraction
• Provides VerifyPgpSignature() as public static method for shared use
• Defines abstract GetSignatureDocumentAndSignableContent() contract

SigVerifier inheritance

• Now extends PgpVerifier instead of FileVerifier
• Implements signature/content extraction for detached .sig files

LinuxPackageVerifier composition

• Continues extending ArchiveVerifier (required for archive unpacking)
• Calls PgpVerifier.VerifyPgpSignature() static method
• Maintains compatibility with RpmVerifier and DebVerifier subclasses

FileVerifier
  ├── PgpVerifier (abstract)
  │   └── SigVerifier
  └── ArchiveVerifier
      └── LinuxPackageVerifier
          ├── RpmVerifier
          └── DebVerifier

Works around C# single inheritance limitation by providing static method for classes that cannot inherit from PgpVerifier.

To double check:

• The right tests are in and the right validation has happened. Guidance: https://github.com/dotnet/arcade/blob/main/Documentation/Validation.md
  • No existing test infrastructure for SignCheck
  • Build verified on net472 and net11.0 targets

Original prompt

---

This section details on the original issue you should resolve

<issue_title>SignCheck should validate detached signatures</issue_title>
<issue_description>Support for signing tars and zips with detached signatures was added into SignTool: #16035. We should add verification for these detached signatures in SignCheck. SignCheck would need a way to accept additional signature info for these signed artifacts (signature file, public key)</issue_description>

<agent_instructions>Allow SignCheck to validate detached PGP signatures by introducing first-class support for .sig assets.

• Add a new file verifier type for .sig files.
• Refactor the existing Linux package verification into a generic PGP verifier base (since detached signatures should be PGP-verified), and have the new .sig verifier inherit from / reuse that PGP verification implementation.
• A detached signature must always have the same name as the signed file, with an added .sig extension (e.g., foo.tar.gz ↔ foo.tar.gz.sig).</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes SignCheck should validate detached signatures #16249

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[ellahathaway]

@copilot - Instead of creating a helper class, please rename LinuxPackageVerifier to PgpVerifier, and update all references accordingly. Then have SigVerifier inherit from PgpVerifier.