We get "corrupted"/non-correctly signed RPMs from time to time and added a mechanism to verify signatures and resign if invalid. Unfortunately sometimes rpm --addsign can return a zero exit code regardless of actual error status. Because of this we should always verify signature after signing, this way if it's invalid, we can resign it.