ci(release-rpm): accept V4 header signatures in verify step

[fcostaoliveira]

Summary

The 2.3.1 release's `publish-to-yum` job kept failing at step 6 ("Verify RPM signatures") with:

```
##[error]RPM unsigned: rpms/.../memtier-benchmark-2.3.1-...rpm (SIGPGP=(none))
```

Failed run: https://github.com/redis/memtier_benchmark/actions/runs/25388333208/job/74456580707

The build matrix actually signs the RPMs correctly — the verify step's check is what's broken:

```bash
sig=$(rpm -qp --queryformat '%{SIGPGP:pgpsig}\n' "$rpm_file")
if [ "$sig" = "(none)" ] || [ -z "$sig" ]; then
echo "::error::RPM unsigned: $rpm_file (SIGPGP=$sig)"
```

`rpm --addsign` on rpm >= 4.13 produces a V4 header signature stored in `%{RSAHEADER}` / `%{DSAHEADER}`. The legacy `%{SIGPGP}` tag stays `(none)` on V4-signed packages, so this query falsely reports modern RPMs as unsigned. `rpm -K` confirms the actual signature is fine: `Header V4 RSA/SHA512 Signature, key ID bf53aa0c: OK` (after the public key is imported, which step 6 does).

This bug was never tripped before because PR #338 added `release-rpm.yml` but its `publish-to-yum` job is gated on `event_name == 'release'` — it only runs when an actual release is published, and 2.3.0 predated this workflow. The 2.3.1 release was the first end-to-end exercise.

Change

Replace the `SIGPGP` query with `rpm -Kv` parsing. `rpm -Kv` prints a per-component verification line and exits 0 only when every component verifies. Match against `'Header V[34] (RSA|DSA)/.*: OK'` to accept both V3 (legacy SIGPGP) and V4 (RSAHEADER/DSAHEADER) signatures, and explicitly reject `NOKEY / NOTTRUSTED / BAD` outcomes to preserve the safety net the original script intended.

Test plan

• Verified the regex matches the actual `rpm -Kv` output captured from the failing run for el8/el9/el10/amzn2023 × x86_64/aarch64.
• After merge, re-fire the 2.3.1 publish path and confirm `publish-to-yum` step 6 passes and steps 7-12 actually run.

Sibling PR

Same fix needs to land on the `2.3` release branch so 2.3.1 (and future 2.3.x patches) can publish to YUM. I'll open the cherry-pick after this lands.

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches the release publishing workflow’s RPM signature verification logic; a regex/command mismatch could either fail legitimate releases or (less likely) allow a bad signature to slip through.

Overview
Fixes the publish-to-yum workflow’s RPM signature verification to handle modern V4 header signatures produced by rpm --addsign.

The verify step now captures rpm -Kv output per RPM and greps for an Header V3/V4 RSA/DSA ...: OK line, while explicitly flagging NOKEY/NOTTRUSTED/BAD cases, instead of relying on the legacy %{SIGPGP} tag which reports (none) for V4-signed packages.

^{Reviewed by Cursor Bugbot for commit 13983e6. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 1282f84. Configure here.}