that's what yum and rpm do on install. it verifies the gpg signature, and that the header data matches the payload.
if yum is complaining, then either the gpg signature is invalid, or the payload doesn't match the header data.
it's nearly always the latter.
and that simply means you've either got a bad download, or one of the mirrors didn't sync correctly.
since the mirrors used for mirrorlist are largely not controlled by the project, that happens from time to time.
if you want, the easy way is download a copy of the rpm from multiple mirrors, and compare the checksum of them via md5sum or sha256sum or similar.
mirrors.kernel.org for example, and then compare that against the bad copy that might be stored in /var/cache/yum/ somewhere before you do a 'yum clean all'