Comment 18 for bug 635868

I've finished wiring up RSA signature checking algorithms using -lgcrypt and -lopenssl
(as well as -lbeecrypt and -lnss) @rpm5.org.

RSA/SHA1 w 4096bit keys algorithms are verifying using
    Requires: signature(...)
probes on clear/detached signed plaintext are all functional @rpm5.org. So the algorithms
and much of the digital signature verification implementation is correct.

re comment #7: I'm not seeing a signature tag in the tuxonice package that I have downloaded.

re comment #8:Thanks for the reproducer. I'm seeing this behavior now:

$ rpm -Kvv obsoletes-test-1-1.tillf8.noarch.rpm
D: Expected size: 2435 = lead(96)+sigs(1296)+pad(0)+data(1043)
D: Actual size: 2435
obsoletes-test-1-1.tillf8.noarch.rpm:
    Header V4 RSA/SHA512 signature: BAD, key ID 1c109517
    Header SHA1 digest: OK (b3398044a25fe5bc5e4c5bded44c0dd5d10e13db)
    MD5 digest: OK (f16dd8cfcf437beb6d467e4f652c6bbd)

So the issue for verifying RSA on *.rpm packages likely has to do with
the plaintext salting for RSA V4. There's also a chance that MD5, not
SHA1, digest is being computed for hysterical RSA V3 reasons.

Digging now ...