Thank you for your answer, however this does not help me.
It is actually my bad here: I incorrectly assumed that the provided RPMs were signed, which is not the case (‘rpm -kv <file>’ does not show any signature).
Do you have any plan to sign the rpm files generated for openfire ? Relevant documentation here : http://ftp.rpm.org/max-rpm/s1-rpm-pgp-signing-packages.html . You will also need a gpg key pair (private key to sign, public key - which i was asking for - to distribute)
Our use-case is that we install openfire from a local repository and enforce gpgcheck. Not having a default signature means that we will have to re-sign the rpm on our side, thus deploying a rpm that can"t match any of the official sha1sum, which is suboptimal as the key won’t come from an official source but be project/context-specific instead.