rpms (the files)are signed by someone.
rpm (the program) has a keyring of "vendors" that you trust
depending on the actual distro, by default your keyring is empty or only trusting 1 vendor
i cant remember but i have some idea that the lastest fedora only trusted rpms(files) signed with the fedora key
well, the thing is,if you TRULY trust that vendor, you can add the key with "rpm --import key"
and key is the file of the key, or a website containing it. (that means you can do "rpm --import http://www.blah.bleh/path/key.txt" )