The package rpm-3.0.1-12.5.2.i386.rpm from ftp.rpm.org is signed using PGP key 0x73B83325, but it is not clear where to get the public key for the verification - public keyservers do not have it and I could not find it on ftp.rpm.org
This issue has been forwarded to a developer for further action.
The rom-3.0.1-12.5.2.i386.rpm is now signed by _two_ keys that do not exist on keyservers: 0x73B83325 and 0x1759C6EC However, there are several newer packages that are properly signed, so I am closing this report.