diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index 82abcd0..d56316e 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -518,8 +518,6 @@ EOM
       when /\.sig$/ then
         @signatures[$`] = entry.read if @security_policy
         next
-      when 'checksums.yaml.gz' then
-        next # already handled
       else
         digest entry
       end
diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb
index d08f46d..1e9603c 100644
--- a/test/rubygems/test_gem_package.rb
+++ b/test/rubygems/test_gem_package.rb
@@ -511,6 +511,24 @@ class TestGemPackage < Gem::Package::TarTestCase
     assert_empty package.instance_variable_get(:@files), '@files must empty'
   end
 
+  def test_verify_security_policy_low_security
+    @spec.cert_chain = [PUBLIC_CERT.to_pem]
+    @spec.signing_key = PRIVATE_KEY
+
+    FileUtils.mkdir_p 'lib'
+    FileUtils.touch 'lib/code.rb'
+
+    build = Gem::Package.new @gem
+    build.spec = @spec
+
+    build.build
+
+    package = Gem::Package.new @gem
+    package.security_policy = Gem::Security::LowSecurity
+
+    assert package.verify
+  end
+
   def test_verify_security_policy_checksum_missing
     @spec.cert_chain = [PUBLIC_CERT.to_pem]
     @spec.signing_key = PRIVATE_KEY