Alternative approach at signature creation using PGPainless

[vanitasvitae]

This PR allows to use PGPainless for OpenPGP signature creation.
It is an alternative approach to #48 which incorporates some of the feedback given.

Contrary to #48, this PR does not straight up replace the existing BC-based signature implementation, but instead introduces a factory pattern, which allows to swap out the implementation backend.

The code is not yet tested, so I'll mark it as WIP.

Still, I'd like to get some feedback to get an idea of how to proceed :)

[vanitasvitae]

I'm happy for feedback :)
Please let me know, how you'd inject the PgpSignerCreatorFactory and PgpSignatureProcessorFactory instances via the optional dependency :)

[vanitasvitae]

RpmSignatureTag.GPG was missing, so I added it.
Do I understand the protocol correctly in that RsaSignatureProcessor (and analogue PGPainlessSignatureProcessor) do implement the "RPM v3 signature with the same key on the header+payload" the manual is talking about?

Again, the documentation only mentions ECDSA, not EdDSA.

[dwalluck]

We support RPMv4, not RPMv3, so I don't think we want the older tags mentioned there.

[dwalluck]

I mean, you can keep the constants defined, but I am not sure we want to write them in the header.

[vanitasvitae]

RsaSignatureProcessor is using RpmSignatureTag.PGP (which as far as I understand is RPM v3) here.

[dwalluck]

RsaSignatureProcessor is using RpmSignatureTag.PGP (which as far as I understand is RPM v3) here.

It depends what version of RPM we are emulating. I can find "RPMSIGTAG_PGP, RPMSIGTAG_GPG (and RPMSIGTAG_PGP5) are no longer created in >= 4.16". So, we can have both sets, but if we are going to only have one set, it should not be these.

I think the new ones only process the header, whereas the old ones processed the header together with the payload.

[vanitasvitae]

I'm still confused.
To slim down the PR I'd remove the new constant again.
However, what RpmSignatureTag should I use in the PGPainlessSignatureProcessor for EdDSA/DSA signatures?
If RpmSignatureTag.PGP (used for RSA) is also no longer created in newer Rpm versions, shall I just remove the PGPainlessSignatureProcessor altogether? What about its BC counterpart (RsaSignatureProcessor)? Remove that as well? It appears it is still in use in RpmFileSignatureProcessor. Is this class also obsolete then?

[dwalluck]

There are two types of signatures. One is header-only and one is header and payload. That makes two possible for RSA and two possible for DSA/EdDSA for a total of four signature tags.

I think it is like this:

1. DSA tag: 267 type: header (RPMv4)
2. RSA tag: 268 type: header (RPMv4)
3. PGP tag: 1002 type: header+payload (RPMv3; deprecated)
4. GPG tag: 1005 type: header+payload (RPMv3; deprecated)

[vanitasvitae]

So RpmFileSignatureProcessor currently uses RPMv3 signing then (RsaSignatureProcessor uses PGP tag).
I guess I'll leave RsaSignatureProcessor untouched and also won't change RpmFileSignatureProcessor in this PR.

I'll remove PGPainlessSignatureProcessor (which would do RPMv3 signing) and instead only implement PGPainlessHeaderSignatureProcessor.

[vanitasvitae]

I'm not super fond of the name of the module, so feel free to provide suggestions :)

[dwalluck]

I'm not super fond of the name of the module, so feel free to provide suggestions :)

I would just call the directory/module pgpainless, and the artifact packager-pgpainless.