The top-level hash is calculated for each file, then that hash is signed with the inputted
rsa key pair and the signed hash is appended to the array of signed hashes in the rpm
metadata. I am guessing the way we worded the proposal is a little unclear because we call
it "the" signature when it's one rpm metadata item that's an array of
the signatures.
fs-verity the kernel feature operates on a per-file basis, and since the ultimate goal is
to deliver fs-verity enabled files on the installer's system, we need each file's
signature in the rpm. At install, we call the fs-verity enable ioctl for each file,
passing in its signature to make use of the kernel authentication functionality.
I'm happy to explain the exact flow at signing and at install in more detail if that
would be helpful.
Boris