librepo needs RPM backend new API for multiple signature verification with expired key handling in a single stream

[fhbash]

Description:

The current RPM library API used by librepo's RPM backend lacks proper support for handling multiple signatures on packages, specifically for implementing the logic where "at least one valid signature should allow package acceptance while all invalid/expired signatures should cause rejection."

Background:

This issue is related to #207 . The RPM backend has this ticket for task RHEL-112394, and it's on Planning, as soon this is done and merged, we can move forward with this implementation on librepo.

The gpgme backend task was done by this #354

Current Problem:

Latest RPM backend is missing api to deal with multiple sign/key

Impact:

Without these RPM API enhancements, librepo cannot implement proper multiple signature verification logic that aligns with crypto-policy requirements defined in RHEL-112394.

Dependencies:

• Related to: RHEL-112394
• Component: rpm, librepo

[ppisar]

A work the RHEL-112394 ticket will implement won't probably expose API for verifying a package key by key. I believe it will only start ignoring keys with disabled algorithm. If you need changes in the RPM API, you need to file a request at RPM upstream https://github.com/rpm-software-management/rpm/issues/.