The return value is a constant, not a pointer.
The second note is confusing, suggested wording:
Initially, the array's order mirrors the order of signature fields found in the message being verified. The caller is free to rearrange this order. This is the same array passed to the prescreen and final callbacks.