Would be nice to also have a cli version. :)

It should probably also remove signature from the RPM itself. In case of mock's sign plugin is used - even "unsigned version" is actually signed. Not sure how it is when RPM gets signed via robosignature or other solutions.

/mnt/koji/packages/kernel-lt/5.4.111/1.el7.gdc/x86_64/kernel-lt-5.4.111-1.el7.gdc.x86_64.rpm:
    Header V4 DSA/SHA1 Signature, key ID 10165ea6: OK
    Header SHA1 digest: OK
    V4 DSA/SHA1 Signature, key ID 10165ea6: OK
    MD5 digest: OK

PR 2946

It should probably also remove signature from the RPM itself. In case of mock's sign plugin is used - even "unsigned version" is actually signed. Not sure how it is when RPM gets signed via robosignature or other solutions.

The primary rpm is not technically the "unsigned" copy. It is simply the original copy of the rpm that Koji received. While the case you are talking about is certainly something we should think about, we should definitely not modify build files like this. Builds are intended to be immutable.

In terms of process and usability, I don't see any problems with having such signatures in the original copy but not in the signature cache.

Note that this feature is only intended to be used rarely for problem cases. If this call needs to be used, then something has gone wrong with the signing process. This call provides a quick workaround (mistakes happen), but should not be used routinely.

Final updated (and tested) version in #2965.

Commit f0cad50 fixes this issue

Commit fb8cfc5 fixes this issue