This change seems to be in effect and working for f38 and newer. I do not install rpm-plugin-ima so no extended attributes have been set on any of my systems. I am just looking to see if I can test that the files match what was signed during the build process.
In addition to
rpm -Va
is there a signature based check along the lines of
rpm --checksignatures -a