This trusted public key may belong to a vendor or an individual itself and be part of a “web of trust“. By being part of a trusted group we can make sure that any packages signed (GPG signed) by the owner of that key is authentic.
Having said that, here is how you would import a key for your RPM trust database. To import my GPG signed key, you can execute the following shell command as root user:
rpm --import http://www.jefferyfernandez.id.au/jeffery.gpg
Having executed that command now makes the packages signed by me a trusted package, simply because I belong to the “web of trust”. So now you can safely install (if you wish to 
) any packages I have uploaded onto this site.
To verify if a package you have downloded matches the trusted key to the packages signature, execute the following command:
rpm --checksig packagename.rpm
which should give you an “OK” result similar to:
packagename.rpm: (sha1) dsa sha1 md5 gpg OK
And finally to list all the trusted keys in the RPM trust db execute:
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\\n'