sharutils-4.2.1-1.6.1.i386.rpm is not signed by Redhat gpg key. Don't know about other architectures.
The corresponding SRPM isn't signed either.
Also, sharutils-4.2.1-1.5.2.i386.rpm isn't signed. I noticed, that this problem (unsigned packages in updates) occurs quite often. Do you think it would make sense to write a script that checks all the packages submitted to updates for being properly signed?
What I noticed was that the md5sum from the package (sharutils-4.2.1-1.6.1) did not match the one on the advisory web page, at least for the i386 and SRPMS. I wonder what caused this...
this has been fixed.