0012541: Rocky Linux 9 "extras" repo failing repo GPG signature check - Rocky Linux BugTracker

ID	Project	Category	View Status	Date Submitted	Last Update

0012541	Rocky-Linux-9	[Repo] Extras	public	2026-04-23 21:24	2026-04-29 13:16

Reporter	Adam Conerly	Assigned To	Jonathan Dieter
Priority	high	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	vmware	OS	Rocky Linux	OS Version	9.7

Summary	0012541: Rocky Linux 9 "extras" repo failing repo GPG signature check
Description	Problem All Rocky Linux 9.7 servers fail dnf update with: Error: Failed to download metadata for repo 'extras': repomd.xml GPG signature verification error: Bad GPG signature Troubleshooting Steps Performed Verified the local GPG key (0x350D275D) matches the official Rocky Linux 9 release key — fingerprint 21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D is correct. Ran dnf clean all, dnf makecache, dnf update — no change. Re-downloaded and re-imported the GPG key from /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 — no change. Switched the extras repo from mirrorlist to the base URL (dl.rockylinux.org) — no change. Attempted dnf --disablerepo extras update — other repos updated successfully, confirming the issue is isolated to extras. Reviewed the known Rocky Linux forum thread (GPG Signature Verification Fails - Rocky Linux 9 BaseOS) — that fix (March 24, 2026) resolved BaseOS/AppStream but not extras. Definitive test: Downloaded repomd.xml and repomd.xml.asc directly from Rocky’s official repo and verified locally with GPG: curl -so /tmp/repomd.xml http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml curl -so /tmp/repomd.xml.asc http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml.asc gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg --verify /tmp/repomd.xml.asc /tmp/repomd.xml Result: gpg: Signature made Tue 21 Apr 2026 05:32:46 AM CDT gpg: using RSA key 21CB256AE16FC54C6E652949702D426D350D275D gpg: BAD signature from "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>" [unknown] Root Cause Server-side issue at Rocky Linux. The repomd.xml file in the extras repo (dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/) is out of sync with its detached signature (repomd.xml.asc). The metadata was updated without regenerating the signature, or vice versa. The signing key is correct — the content simply doesn’t match what was signed. This is not a local key or configuration problem.
Steps To Reproduce	Executing "dnf update" or installing a target package consistently fails with: Error: Failed to download metadata for repo 'extras': repomd.xml GPG signature verification error: Bad GPG signature
Additional Information	Compared and verified bad gpg signature in rocky repo: curl -so /tmp/repomd.xml http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml curl -so /tmp/repomd.xml.asc http://dl.rockylinux.org/pub/rocky/9/extras/x86_64/os/repodata/repomd.xml.asc gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg --verify /tmp/repomd.xml.asc /tmp/repomd.xml gpg: Signature made Tue 21 Apr 2026 05:32:46 AM CDT Workaround (rocky-extras.repo file change): [extras] name=Rocky Linux - Extras mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=&repo=extras- #baseurl=http://dl.rockylinux.org///extras//os/ gpgcheck=1 repo_gpgcheck=0 enabled=1 countme=1 metadata_expire=6h gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 gpg: using RSA key 21CB256AE16FC54C6E652949702D426D350D275D gpg: BAD signature from "Rocky Enterprise Software Foundation - Release key 2022 <releng@rockylinux.org>" [unknown]
Tags	No tags attached.

Date Modified	Username	Field	Change
2026-04-23 21:24	Adam Conerly	New Issue
2026-04-24 09:18	Jonathan Dieter	Note Added: 0013300
2026-04-29 13:16	Jonathan Dieter	Assigned To	=> Jonathan Dieter
2026-04-29 13:16	Jonathan Dieter	Status	new => resolved
2026-04-29 13:16	Jonathan Dieter	Resolution	open => fixed
2026-04-29 13:16	Jonathan Dieter	Note Added: 0013367