It was discovered last night that the configbump image includes an unsigned rpm in its payload, which prevents pushing it to stage via the errata https://errata.devel.redhat.com/advisory/59644

After discussion with Chris O in https://projects.engineering.redhat.com/browse/SPMM-2640, I've started working on a tool to check all our latest NVRs for unsigned content.

TODOs:

• figure out how to build intellij image in a Brew-compliant way - see CRW-1587
• run check-rpm-signatures job at intervals (let's start with weekly runs) so we never accidentally end up with unreleasable content in Errata
• run check-rpm-signatures job as phase 6 when https://main-jenkins-csb-crwqe.apps.ocp4.prod.psi.redhat.com/job/CRW_CI/job/Releng/job/build-all-images_2.7/ is done? (make phase 5 block-and-wait, then run rpm check as block-and-wait too?)
• job should notify if it finds a problem, ie., fail the job and call util.notifyBuildFailed() to send email to responsive people (Nick, Artem, Eric?)
• eventually we'll want a 2.7 and a 2.x job, so we can validate both releases in parallel