Comment 15 for bug 910708

Hmmm ... there's also something specific in this bug to
the ordering in which the package signatures are verified.

A simple loop doesn't reproduce the flaw:
     for i in *.rpm; do echo "$i --"; rpm -Kvv $i; done

The pubkeys are cached to address concerns about rpm
doing network (or rpmdb) retrievals is the reason for the different
behavior imho.

Off to find valgrind to repair the flaw: I predict that it will also be
dependent on the order in which the 4 pkg signatures are verified
(and I will undertake the testing to confirm that guess).