Anaconda should check the signatures on the packages it installs.
Hey, this is a dupe of bug 18705 which was closed wontfix! :)
msf, what do you think about this? Should we do this, and if so, only for the
download version or for the retail version as well?
Where are we supposed to get the gpg key from in a reliable way? I guess we
could stuff it into the stage2, but that would be extremely inconvenient for any
of the many people who modify install trees at all.. and we're trying to make
their lives easier, not harder.
Checking the md5sum of the package is easy enough I guess...
Checking the md5sum gives us little to no gain and there's no good way to really
get the key. See anaconda-list for more details.