The Java RPM packages should be signed using a GPG key. This is the convention for RPM packages. The public key should also be available for download. This allows users to verify that the RPM packages are genuine Sun Java packages, and have not been corrupted or forged.