Description of problem: Currently the only way to verify the contents of .treeinfo or the installer images is to download the .iso and the regarding -CHECKSUM file and check it. But e.g. preupgrade does not download the .iso but the *.img files, the kernel and the .treeinfo directly from a mirror. Therefore it is also not possible to easily verify these files. I guess the preupgrade way of updating is somehow popular, therefore it should be possible to do this securely. I filed a bug against preupgrade for not verifying anything and not announcing this here: bug 509338
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This is really a releng task item, rather than a pungi item, since pungi doesn't do the signing, releng does it after pungi is done. I've created a ticket in trac, https://fedorahosted.org/rel-eng/ticket/3761 to cover this issue.