Currently, go-rpm supports the RPMv3 signature headers (SIGMD5, SIGPGP, SIGGPG), but does not support the v4 headers like SHA1HEADER, RSAHEADER, and DSAHEADER. From RPMv4.14 on (which adds the SHA256HEADER), RPMs do not include the v3 headers, and only have the v4 headers (if the key is of sufficient entropy). Reference: https://rpm-software-management.github.io/rpm/manual/signatures_digests.html
It would be beneficial to have support in this library for handling these headers. We have a POC available here that we have been working with for integration with Rekor, but are currently at the point where we're determining how/if Rekor would update to a newer version of the rpm library if this support were added.
Currently, go-rpm supports the RPMv3 signature headers (SIGMD5, SIGPGP, SIGGPG), but does not support the v4 headers like SHA1HEADER, RSAHEADER, and DSAHEADER. From RPMv4.14 on (which adds the SHA256HEADER), RPMs do not include the v3 headers, and only have the v4 headers (if the key is of sufficient entropy). Reference: https://rpm-software-management.github.io/rpm/manual/signatures_digests.html
It would be beneficial to have support in this library for handling these headers. We have a POC available here that we have been working with for integration with Rekor, but are currently at the point where we're determining how/if Rekor would update to a newer version of the rpm library if this support were added.
https://github.com/sigstore/rekor/issues/1569
Please let me know what your thoughts are on adding support for these v4 headers.