voa-openpgp: Use streaming signature verification, once it's available in rPGP

voa-openpgp, in verify_from_file uses SignatureVerifier::verify from rpgpie to check signature validity. This API currently requires loading the signed data into RAM (usually in voa that payload will be a package file).

Loading package files into RAM is not prohibitive (but it's a little silly). However, for larger signed files (e.g. ISOs), RAM might become a limiting factor.

So once rPGP offers a signature verification API for detached signatures (see https://github.com/rpgp/rpgp/issues/657), voa-openpgp should use that API!

As a half separate, but related point: If we have multiple candidate SignatureVerifiers for a single signature (which should not usually be the case), we'd currently perform two distinct signature verification passes.

With the payload loaded into RAM, this doesn't matter much - but when streaming from a file reader, verifying with all SignatureVerifiers in parallel is much preferable. With the upcoming rPGP API, performing the signature check with multiple candidate verifiers in one pass will be possible, and should be implemented here.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

voa-openpgp: Use streaming signature verification, once it's available in rPGP