* feat: expose rpm signature information
This helps with more confident identification of an rpm.
In theory, two rpms can be built that have the same purl string, and
otherwise look identical in syft's output, but the PGP information
would distinguish them as signed either by different keys, or signed at
different times.
In practice, this usually makes no difference since rpms tend to have
unique name/version/release strings. This just gives increased
confidence about the identity of the rpm found in the db.
Signed-off-by: Ralph Bean <rbean@redhat.com>
* chore: generate json schema
Signed-off-by: Ralph Bean <rbean@redhat.com>
* re-generate json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename to a more generic signature field
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename rpm.pgp to rpm.signatures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split out signature fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* include RPM archives
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont fail on unknown signature type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Ralph Bean <rbean@redhat.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
