diff --git a/macros.in b/macros.in
index a177c182ef..65967dd54d 100644
--- a/macros.in
+++ b/macros.in
@@ -688,7 +688,7 @@ Supplements:   (%{name} = %{version}-%{release} and langpacks-%{1})\
 %_pkgverify_level digest
 
 # Disabler flags for package verification (similar to vsflags)
-%_pkgverify_flags 0x0
+%_pkgverify_flags 0x20000
 
 # Minimize writes during transactions (at the cost of more reads) to
 # conserve eg SSD disks (EXPERIMENTAL).
diff --git a/tests/pinned/rpmsigdig.txt b/tests/pinned/rpmsigdig.txt
index 37d263d777..e4196ed32c 100644
--- a/tests/pinned/rpmsigdig.txt
+++ b/tests/pinned/rpmsigdig.txt
@@ -10,4 +10,3 @@ PAYLOADSIZEALT: (none)
     Header SHA1 digest: OK
     Payload SHA256 ALT digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
diff --git a/tests/rpmdb.at b/tests/rpmdb.at
index 416f61086c..5f1d5b8575 100644
--- a/tests/rpmdb.at
+++ b/tests/rpmdb.at
@@ -315,14 +315,14 @@ RPMDB_INIT
 
 RPMTEST_CHECK([
 runroot rpm -i \
-  --noscripts --nodeps --ignorearch \
+  --noscripts --nodeps --ignorearch --noverify \
   /data/RPMS/hello-1.0-1.i386.rpm
 ],
 [0])
 
 RPMTEST_CHECK([
 runroot rpm -i \
-  --noscripts --nodeps --ignorearch \
+  --noscripts --nodeps --ignorearch --noverify \
   /data/RPMS/hello-1.0-1.ppc64.rpm
 ],
 [1],
@@ -332,7 +332,7 @@ runroot rpm -i \
 
 RPMTEST_CHECK([
 runroot rpm -i \
-  --noscripts --nodeps --ignorearch --relocate=/usr=/check \
+  --noscripts --nodeps --ignorearch --noverify --relocate=/usr=/check \
   /data/RPMS/hello-1.0-1.ppc64.rpm
 ],
 [0])
@@ -355,7 +355,7 @@ AT_KEYWORDS([rpmdb])
 RPMTEST_CHECK([
 RPMDB_INIT
 
-runroot rpm -U --noscripts --nodeps --ignorearch \
+runroot rpm -U --noscripts --nodeps --ignorearch --noverify \
   /data/RPMS/hello-1.0-1.i386.rpm
 runroot rpm -qa --qf "%{nevra} %{dbinstance}\n"
 runroot rpm -U --noscripts --nodeps --ignorearch \
diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
index 5230391135..995fa0e0c4 100644
--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
@@ -19,17 +19,18 @@ runroot rpmkeys -Kv /data/RPMS/hello-2.0-1.x86_64.rpm
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 ],
 [])
 
 RPMTEST_CHECK([
 runroot rpmkeys -Kv /data/RPMS/hello-1.0-1.i386.rpm
 ],
-[0],
+[1],
 [/data/RPMS/hello-1.0-1.i386.rpm:
     Header SHA1 digest: OK
-    MD5 digest: OK
+    Payload SHA256 digest: NOTFOUND
+    Payload SHA256 ALT digest: NOTFOUND
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -64,13 +65,23 @@ runroot rpmkeys -Kv /tmp/hello-c.rpm
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 ],
 [])
 
 RPMTEST_CHECK([
 runroot rpmkeys -Kv /tmp/hello-uc.rpm
 ],
+[0],
+[/tmp/hello-uc.rpm:
+    Header SHA256 digest: OK
+    Header SHA1 digest: OK
+    Payload SHA256 ALT digest: OK
+],
+[])
+
+RPMTEST_CHECK([
+runroot rpmkeys --define "_pkgverify_flags 0" -Kv /tmp/hello-uc.rpm
+],
 [1],
 [/tmp/hello-uc.rpm:
     Header SHA256 digest: OK
@@ -82,10 +93,9 @@ runroot rpmkeys -Kv /tmp/hello-uc.rpm
 RPMTEST_CLEANUP
 
 # ------------------------------
-# Test corrupted package verification (corrupted signature)
+# Test corrupted package verification (corrupted md5 hash in signature)
 AT_SETUP([rpmkeys -Kv <corrupted unsigned> 1])
 AT_KEYWORDS([rpmkeys digest])
-RPMTEST_CHECK([
 RPMDB_INIT
 
 pkg="hello-2.0-1.x86_64.rpm"
@@ -93,8 +103,21 @@ cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
 # conv=notrunc bs=1 seek=261 count=6 2> /dev/null
 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
    conv=notrunc bs=1 seek=333 count=4 2> /dev/null
+
+RPMTEST_CHECK([
 runroot rpmkeys -Kv /tmp/${pkg}
 ],
+[0],
+[/tmp/hello-2.0-1.x86_64.rpm:
+    Header SHA256 digest: OK
+    Header SHA1 digest: OK
+    Payload SHA256 digest: OK
+],
+[])
+
+RPMTEST_CHECK([
+runroot rpmkeys -Kv --define "_pkgverify_flags 0" /tmp/${pkg}
+],
 [1],
 [/tmp/hello-2.0-1.x86_64.rpm:
     Header SHA256 digest: OK
@@ -122,7 +145,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 29fdfe92782fb0470a9a164a6c94af87d3b138c63b39d4c30e0223ca1202ba82)
     Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
     Payload SHA256 digest: OK
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -146,7 +169,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Header SHA1 digest: OK
     Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
     Payload SHA256 ALT digest: NOTFOUND
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -328,7 +351,6 @@ runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hel
     Payload SHA256 digest: OK
     RSA signature: NOTFOUND
     DSA signature: NOTFOUND
-    MD5 digest: OK
 1
 Importing key:
 0
@@ -340,7 +362,6 @@ Checking package after importing key:
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 Checking package after importing key, no digest:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
@@ -355,7 +376,6 @@ Checking package after importing key, no signature:
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 ]],
 [])
@@ -392,7 +412,6 @@ runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hel
     Payload SHA256 digest: OK
     RSA signature: NOTFOUND
     DSA signature: NOTFOUND
-    MD5 digest: OK
 1
 Importing key:
 0
@@ -412,7 +431,6 @@ RPMOUTPUT_SEQUOIA([      because: Expired on 2022-04-12T00:00:15Z])dnl
     Payload SHA256 digest: OK
     RSA signature: NOTFOUND
     DSA signature: NOTFOUND
-    MD5 digest: OK
 1
 Checking package after importing key, no digest:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
@@ -431,7 +449,6 @@ Checking package after importing key, no signature:
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 ],
 [])
@@ -468,7 +485,6 @@ runroot rpmkeys --define '_pkgverify_level all' -Kv --nosignature /data/RPMS/hel
     Payload SHA256 digest: OK
     RSA signature: NOTFOUND
     DSA signature: NOTFOUND
-    MD5 digest: OK
 1
 Importing key:
 0
@@ -486,7 +502,6 @@ RPMOUTPUT_SEQUOIA([  Key 1F71177215217EE0 is invalid: key is revoked])dnl
     Payload SHA256 digest: OK
     RSA signature: NOTFOUND
     DSA signature: NOTFOUND
-    MD5 digest: OK
 1
 Checking package after importing key, no digest:
 /data/RPMS/hello-2.0-1.x86_64-signed-with-subkey.rpm:
@@ -503,7 +518,6 @@ Checking package after importing key, no signature:
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 ],
 [])
@@ -679,7 +693,6 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V3 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
-    MD5 digest: OK
 1
 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
     Header V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
@@ -687,7 +700,6 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
-    MD5 digest: OK
 1
 0
 /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm:
@@ -696,7 +708,6 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V3 RSA/SHA256 Signature, key ID 1964c5fc: OK
-    MD5 digest: OK
 0
 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
     Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
@@ -704,7 +715,6 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
-    MD5 digest: OK
 0
 /data/RPMS/hello-2.0-1.x86_64-v3-signed.rpm:
     Header V3 RSA/SHA256 Signature, key ID 1964c5fc: OK
@@ -718,13 +728,11 @@ runroot rpmkeys -Kv --nosignature /data/RPMS/hello-2.0-1.x86_64-signed.rpm; echo
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 /data/RPMS/hello-2.0-1.x86_64-signed.rpm:
     Header SHA256 digest: OK
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
-    MD5 digest: OK
 0
 ],
 [])
@@ -758,7 +766,6 @@ RPMOUTPUT_SEQUOIA([      because: Malformed MPI: leading bit is not set: expecte
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: NOKEY
-    MD5 digest: OK
 /tmp/hello-2.0-1.x86_64-signed.rpm:
 RPMOUTPUT_LEGACY([    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Signature without creation time)])dnl
 RPMOUTPUT_SEQUOIA([    Header RSA signature: BAD (package tag 268: invalid OpenPGP signature: Parsing an OpenPGP packet:])dnl
@@ -769,7 +776,6 @@ RPMOUTPUT_SEQUOIA([      because: Malformed MPI: leading bit is not set: expecte
     Header SHA1 digest: OK
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
-    MD5 digest: OK
 ],
 [])
 RPMTEST_CLEANUP
@@ -798,14 +804,14 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != fe227d93273221c252c6bb45e67a8489fcb48f88)
     Payload SHA256 digest: OK
     V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != b2981e215576c2142676d9b1e0902075)
+    MD5 digest: NOTFOUND
 /tmp/hello-2.0-1.x86_64-v3-signed.rpm:
     Header V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD
     Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 63a0502eb7f5eaa07d43fe8fa805665b86e58d53db38ccf625bbbf01e3cd67ab)
     Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != fe227d93273221c252c6bb45e67a8489fcb48f88)
     Payload SHA256 digest: OK
     V3 RSA/SHA256 Signature, key ID 1964c5fc: BAD
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != b2981e215576c2142676d9b1e0902075)
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -833,14 +839,14 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
+    MD5 digest: NOTFOUND
 /tmp/hello-2.0-1.x86_64-signed.rpm:
     Header V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
     Header SHA256 digest: BAD (Expected ef920781af3bf072ae9888eec3de1c589143101dff9cc0b561468d395fb766d9 != 29fdfe92782fb0470a9a164a6c94af87d3b138c63b39d4c30e0223ca1202ba82)
     Header SHA1 digest: BAD (Expected 5cd9874c510b67b44483f9e382a1649ef7743bac != 4261b2c1eb861a4152c2239bce20bfbcaa8971ba)
     Payload SHA256 digest: OK
     V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != de65519eeb4ab52eb076ec054d42e34e)
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -870,7 +876,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
     Payload SHA256 ALT digest: NOTFOUND
     V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
+    MD5 digest: NOTFOUND
 /tmp/hello-2.0-1.x86_64-signed.rpm:
     Header V4 RSA/SHA256 Signature, key ID 1964c5fc: OK
     Header SHA256 digest: OK
@@ -879,7 +885,7 @@ runroot rpmkeys -Kv /tmp/${pkg}
     Payload SHA256 ALT digest: NOTFOUND
     V4 RSA/SHA256 Signature, key ID 1964c5fc: BAD
     DSA signature: NOTFOUND
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
+    MD5 digest: NOTFOUND
 ],
 [])
 RPMTEST_CLEANUP
@@ -1038,6 +1044,8 @@ run rpmsign --key-id 1964C5FC --digest-algo sha256 --addsign "${RPMTEST}"/tmp/he
 [])
 
 # rpmsign --addsign corrupted md5 hash
+# This is behaves counter-intuitively / is buggy if md5 verification is
+# disabled, see https://github.com/rpm-software-management/rpm/issues/3291
 RPMTEST_CHECK([
 RPMDB_INIT
 
@@ -1045,7 +1053,7 @@ pkg="hello-2.0-1.x86_64.rpm"
 cp "${RPMTEST}"/data/RPMS/${pkg} "${RPMTEST}"/tmp/${pkg}
 dd if=/dev/zero of="${RPMTEST}"/tmp/${pkg} \
    conv=notrunc bs=1 seek=333 count=4 2> /dev/null
-runroot rpmsign --key-id 1964C5FC --digest-algo sha256 --addsign "/tmp/${pkg}"
+runroot rpmsign --define "_pkgverify_flags 0" --key-id 1964C5FC --digest-algo sha256 --addsign "/tmp/${pkg}"
 ],
 [1],
 [/tmp/hello-2.0-1.x86_64.rpm:
@@ -1054,7 +1062,7 @@ runroot rpmsign --key-id 1964C5FC --digest-algo sha256 --addsign "/tmp/${pkg}"
 ])
 
 RPMTEST_CHECK([
-runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm
+runroot rpmkeys -Kv --define "_pkgverify_flags 0" /tmp/hello-2.0-1.x86_64.rpm
 ],
 [1],
 [/tmp/hello-2.0-1.x86_64.rpm:
@@ -1090,7 +1098,7 @@ runroot rpmkeys -Kv /tmp/hello-2.0-1.x86_64.rpm
     Header SHA1 digest: OK
     Payload SHA256 digest: BAD (Expected 84a7338287bf19715c4eed0243f5cdb447eeb0ade37b2af718d4060aefca2f7c != bea903609dceac36e1f26a983c493c98064d320fdfeb423034ed63d649b2c8dc)
     Payload SHA256 ALT digest: NOTFOUND
-    MD5 digest: BAD (Expected 137ca1d8b35cca02a1854ba301c5432e != d662cd0d81601a7107312684ad1ddf38)
+    MD5 digest: NOTFOUND
 ],
 [])
 gpgconf --kill gpg-agent