We use a GPG key to sign our software packages. Normally yum and rpm transparently use the GPG signatures to verify the packages have not been corrupted and were created by us. You get our GPG public key when you install the osg-release RPM.
If you wish to verify one of our RPMs manually, you can run:
[user@client ~]$ rpm --checksig -v name.rpm
[user@client ~]$ rpm --checksig -v globus-core-8.0-2.osg.x86_64.rpm
Header V3 DSA signature: OK, key ID 824b8603
Header SHA1 digest: OK (2b5af4348c548c27f10e2e47e1ec80500c4f85d7)
MD5 digest: OK (d11503a229a1a0e02262034efe0f7e46)
V3 DSA signature: OK, key ID 824b8603