The package signing code in pulp_rpm expects the signing service to return the file path as "rpm_package" but it doesn't look like it uses it. Instead, it expects the original file to be signed. This is sort of at odds with how package signing works since it uses the "signature" value returns by the signing service. Even pulp_deb which has files with embedded signatures does this.

I think that pulp_rpm expects users to be using rpmsign which signs the file in place and thus using the original file path location makes sense. But this is not true for us. We hand the rpm file over to a service to be signed, and then the file is returned via an API call and stored at a new location.

Using "rpm_package" instead of expecting the original file to be signed would give users greater flexibility. Users can still update the existing file if they choose to and just return the original file path as "rpm_package". I also think that using "rpm_package" is more consistent with how metadata signing works as well.