Unsigned packages occasionally show up on the released versions of Fedora, but they tend to be the exception.
Unfortunately I ran across a lot of unsigned packages whie testing Fedora 11 Beta today. Apparently it's a big enough problem that the default repository is set to not check gpg signatures of packages. I tried turning it on and using the other repositories for fedora 11 , but I ran into a lot of packages that would not install because of GPG signature problems.
This seems like an important flaw to fix considering a significant fraction of rawhide users are likely to be package developers and may perhaps have access to some important servers.
I hope this was only changed due to issues regarding the switch to the new hash, and will be corrected quickly.