Hi,
I was thinking about a test to find the source of all of binaries in an image (cloud/atomic). One person was working on a patch, but I need more eyes on the PR[1], and provide him more ideas. May be verifying all the rpms are signed or not can be another test in the same front.
[1] https://github.com/kushaldas/tunirtests/pull/43
Kushal