View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0012541 | Rocky-Linux-9 | [Repo] Extras | public | 2026-04-23 21:24 | 2026-04-24 09:18 |
| Reporter | Adam Conerly | Assigned To | |||
| Priority | high | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | vmware | OS | Rocky Linux | OS Version | 9.7 |
| Summary | 0012541: Rocky Linux 9 "extras" repo failing repo GPG signature check | ||||
| Description | Problem All Rocky Linux 9.7 servers fail dnf update with: Error: Failed to download metadata for repo 'extras': repomd.xml GPG signature verification error: Bad GPG signature Troubleshooting Steps Performed Verified the local GPG key (0x350D275D) matches the official Rocky Linux 9 release key — fingerprint 21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D is correct. Ran dnf clean all, dnf makecache, dnf update — no change. Re-downloaded and re-imported the GPG key from /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 — no change. Switched the extras repo from mirrorlist to the base URL (dl.rockylinux.org) — no change. Attempted dnf --disablerepo extras update — other repos updated successfully, confirming the issue is isolated to extras. Reviewed the known Rocky Linux forum thread (GPG Signature Verification Fails - Rocky Linux 9 BaseOS) — that fix (March 24, 2026) resolved BaseOS/AppStream but not extras. Definitive test: Downloaded repomd.xml and repomd.xml.asc directly from Rocky’s official repo and verified locally with GPG: curl -so /tmp/repomd.xml http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml curl -so /tmp/repomd.xml.asc http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml.asc gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg --verify /tmp/repomd.xml.asc /tmp/repomd.xml Result: gpg: Signature made Tue 21 Apr 2026 05:32:46 AM CDT gpg: using RSA key 21CB256AE16FC54C6E652949702D426D350D275D gpg: BAD signature from "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>" [unknown] Root Cause Server-side issue at Rocky Linux. The repomd.xml file in the extras repo (dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/) is out of sync with its detached signature (repomd.xml.asc). The metadata was updated without regenerating the signature, or vice versa. The signing key is correct — the content simply doesn’t match what was signed. This is not a local key or configuration problem. | ||||
| Steps To Reproduce | Executing "dnf update" or installing a target package consistently fails with: Error: Failed to download metadata for repo 'extras': repomd.xml GPG signature verification error: Bad GPG signature | ||||
| Additional Information | Compared and verified bad gpg signature in rocky repo: curl -so /tmp/repomd.xml http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml curl -so /tmp/repomd.xml.asc http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml.asc gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg --verify /tmp/repomd.xml.asc /tmp/repomd.xml gpg: Signature made Tue 21 Apr 2026 05:32:46 AM CDT Workaround (rocky-extras.repo file change): [extras] name=Rocky Linux - Extras mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=&repo=extras- #baseurl=http://dl.rockylinux.org///extras//os/ gpgcheck=1 repo_gpgcheck=0 enabled=1 countme=1 metadata_expire=6h gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg: using RSA key 21CB256AE16FC54C6E652949702D426D350D275D gpg: BAD signature from "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>" [unknown] | ||||
| Tags | No tags attached. | ||||
 |
Thanks for pointing this out! We've fixed the bug that was allowing this through and this should be fixed when the next compose completes. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2026-04-23 21:24 | Adam Conerly | New Issue | |
| 2026-04-24 09:18 | Jonathan Dieter | Note Added: 0013300 |
