https://bugzilla.redhat.com/show_bug.cgi?id=1421041
--- Comment #8 from Zbigniew Jędrzejewski-Szmek zbyszek@in.waw.pl --- The GPG key is for the user to know that they can trust the package origin, not for the rpm package to trust anything.
%pre %post %postun are run with a fixed path (see "rpmbuild --eval %_install_script_path"), and they don't need to use full paths for executables in that path. (I know it's traditional to e.g. use /sbin/ldconfig and such, but there's no consistency, and use just the binary name would work just as well.)