sharutils-4.2.1-1.6.1.i386.rpm is not signed by Redhat gpg key.
Don't know about other architectures.
The corresponding SRPM isn't signed either.
Also, sharutils-4.2.1-1.5.2.i386.rpm isn't signed.
I noticed, that this problem (unsigned packages in updates) occurs quite often.
Do you think it would make sense to write a script that checks all the packages
submitted to updates for being properly signed?
What I noticed was that the md5sum from the package (sharutils-4.2.1-1.6.1) did
not match the one on the advisory web page, at least for the i386 and SRPMS. I
wonder what caused this...
this has been fixed.