For a given mirror without index.json cache available, we want to minimize the worst-case number of requests to check for existence of a spec.

We used to check at most three files: spec.yaml, spec.json, spec.json.sig.

Since 0.20.0.dev0 we only check two: spec.json, spec.json.sig.

From 0.21.0 this should be only one: spec.json.

The way to accomplish this is to allow for optionally clearsigned spec.json files: Spack simply peeks into the file and drops the PGP header/footer if it's there, otherwise considers it pure json.

To maximize compatibility, my proposal is to:

1. Land a change in 0.20.0.dev0 that allows spec.json files to be clearsigned. Allow spec.json files to be clearsigned, use transparent compression for *.json #34490
2. Backport this to 0.19.1
3. Land a change on 0.20.0.dev0 that uploads generated spec.json.sig files both as spec.json and spec.json.sig.
4. Deprecate spec.json.sig in 0.20.0
5. Remove uploads and downloads of spec.json.sig in 0.21.0

That way:

• Spack 0.19.0 can work with buildcaches created by Spack 0.19 (it won't be able to handle clearsigned spec.json files)
• Spack 0.19.1 can work with buildcaches created by Spack 0.19 / 0.20 / 0.21
• Spack 0.21 can work with buildcaches created by Spack 0.20 (but not 0.19).