From Fedora Project Wiki

Here is the template I use for doing package reviews. You're welcome to steal from it if you find it useful. Of course, you should only use the parts of this template for the package that you're reviewing. For example, there's no real point in checking compiler flags and debuginfo generation for noarch packages.

source files match upstream:
 (I generally include the checksum from the script below)
package meets naming and versioning guidelines.
specfile is properly named, is cleanly written and uses macros consistently.
dist tag is present.
build root is correct.
 (%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
     is the recommended value, but not the only one)
license field matches the actual license.
license is open source-compatible.
 (include one of the below)
license text not included upstream.
license text included in package.
latest version is being packaged.
BuildRequires are proper.
compiler flags are appropriate.
%clean is present.
package builds in mock.
package installs properly.
debuginfo package looks complete.
rpmlint is silent.
final provides and requires are sane:
  (paste in the rpm -qp --provides and --requires output)
%check is present and all tests pass:
  (if possible, include some info indicating a successful test suite)
  (it's OK if there's no test suite, but if one is there it should be run if possible)
no shared libraries are added to the regular linker search paths.
  (or, if shared libraries are present, make sure ldconfig is run)
owns the directories it creates.
doesn't own any directories it shouldn't.
no duplicates in %files.
file permissions are appropriate.
no scriptlets present.
  (or, if scriptlets are present, compare them against the ScriptletSnippets page)
code, not content.
documentation is small, so no -docs subpackage is necessary.
%docs are not necessary for the proper functioning of the package.
no headers.
no pkgconfig files.
no libtool .la droppings.
desktop files valid and installed properly.

A quick script to grab the upstream source and compare it to what's in an (unpacked) srpm:

mkdir source
cd source
spectool -g ../*spec
for i in *; do
  sha256sum $i
  sha256sum ../$i

A more involved script that I use do to all of my mock builds which also installs the built packages into the chroot and runs rpmlint on the built and installed packages is available from I can't promise that it will be remotely useful with any configuration besides mine, but perhaps someone will use it as a base for further hacking.