When using rpm --verify to check files created during the installation of RPM packages, the following information is taken into consideration:

Timestamps. RPM compares the modification time of the installed files with the original time stored in the RPM database. If the file has been modified after installation, the timestamp will differ and RPM will report it with an M flag1.

MD5 checksums. RPM calculates the MD5 checksum of the installed files and compares it with the original checksum stored in the RPM database. If the file has been altered in any way, the checksum will differ and RPM will report it with an 5 flag1.

File sizes. RPM compares the size of the installed files with the original size stored in the RPM database. If the file has been truncated or appended, the size will differ and RPM will report it with an S flag1.

RPM does not take into consideration the following information:

Inodes. RPM does not check the inode number of the installed files, as it is not a reliable indicator of file identity. The inode number can change if the file is moved, copied, or restored from a backup2.

GnuPG signatures. RPM does not verify the GnuPG signatures of the installed files, as they are not part of the RPM package format. The GnuPG signatures are used to verify the authenticity and integrity of the RPM package files before installation, not after3.

References:

Using RPM to Verify Installed Packages

inode(7) - Linux manual page

RPM and GPG: How to verify Linux packages before installing them