Work with ecosystem stakeholders on a generally useful set of signing and verification APIs

[dralley]

By "generally useful" I mean that they would potentially be usable projects like DNF, ostree, and so forth, as described by Neal Walfield here

(what we have already might be perfectly fine for Rust, but maybe there are additional cases to handle, or maybe an additional C-API would be useful)

rpm's OpenPGP API is not great (see e.g., rpm-software-management/rpm#2041, and this thread). Initially we wanted to wholesale replace it, but because the OpenPGP API is part of rpm's public API, that would require an soname bump, which is not scheduled for a while. As such, we decided to reimplement the existing API in terms of Sequoia. In the future, we hope to completely redesign the API. The new API would not be rpm specific, but would be designed to also be used by other projects like dnf, ostree, etc. We'd like to get started on that as soon as possible, but without a sponsor like RedHat, we don't have the resources to undertake that project right now. Until that happens, if you need to use this API, but use it via librpmio.

It would be great if we can develop those APIs here, and work with those parties to polish them into something that could be broadly useful as described above.

[drahnr]

I think the first step would be to provide a C API at all and then put a stability guarantee in place (which is worthy of a separate discussion)