Previously Keykeeper had a faulty verify check, where `rpm --checksig` didn't actually work because the RPM key was never imported. This would normally be caught but the TaskSignature creation was done after every signature without a transaction. That led to the activity succeeding next launch with either a faulty signed RPM or a correctly signed RPM.
We caught all instances of this by verifying signature of all artifacts during compose, but it was an annoying problem that we would run into occasionally. This should fix that.
We get "corrupted"/non-correctly signed RPMs from time to time and added a mechanism to verify signatures and resign if invalid. Unfortunately sometimes rpm --addsign can return a zero exit code regardless of actual error status. Because of this we should always verify signature after signing, this way if it's invalid, we can resign it.