Bad GPG signature on Rocky 8 BaseOS/AppStream repos

$ dnf module list
Rocky Linux 8 - AppStream                                                                                                                                                                            465  B/s | 833  B     00:01
Rocky Linux 8 - AppStream                                                                                                                                                                            1.6 MB/s | 1.6 kB     00:00
Rocky Linux 8 - AppStream                                                                                                                                                                            525  B/s | 833  B     00:01
Error: Failed to download metadata for repo 'appstream': repomd.xml GPG signature verification error: Bad GPG signature

$ gpg --verify <(curl -s https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml.asc) <(curl -s https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml)
gpg: Signature made Wed 18 Dec 2024 10:00:26 PM UTC
gpg:                using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: BAD signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]

$ gpg --verify <(curl -s https://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml.asc) <(curl -s https://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml)
gpg: Signature made Wed 18 Dec 2024 09:51:55 PM UTC
gpg:                using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: BAD signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]

The GPG signatures on the Rocky 8 BaseOS and AppStream repositories seem broken. Anyone else seeing this?

Working fine for me. Try:

dnf clean all
dnf update

and then attempt the dnf module list command.

# dnf clean all
109 files removed
# dnf update
Rocky Linux 8 - AppStream  397  B/s | 833  B     00:02
Rocky Linux 8 - AppStream  1.6 MB/s | 1.6 kB     00:00
Rocky Linux 8 - AppStream  427  B/s | 833  B     00:01
Error: Failed to download metadata for repo 'appstream': repomd.xml GPG signature verification error: Bad GPG signature
# dnf module list
Rocky Linux 8 - AppStream 497  B/s | 833  B     00:01
Rocky Linux 8 - AppStream 1.6 MB/s | 1.6 kB     00:00
Rocky Linux 8 - AppStream 565  B/s | 833  B     00:01
Error: Failed to download metadata for repo 'appstream': repomd.xml GPG signature verification error: Bad GPG signature

Still broken. I am fairly sure the signatures genuinely are broken, given my GPG commands above.

If it was it would be broken for everyone. Most likely situation is a mirror near to you has sync issues.

I even applied updates to my system when I checked, and that wouldn’t be possible if the signatures were broken for everyone.

Looks like some new metadata has been pushed (Index of /pub/rocky/8/BaseOS/x86_64/os/repodata/ suggests at 10:39 today), which appears to be fixed:

$ gpg --verify <(curl -s https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml.asc) <(curl -s https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/repodata/repomd.xml)
gpg: Signature made Thu 19 Dec 2024 10:39:44 AM GMT
gpg:                using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: Good signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7051 C470 A929 F454 CEBE  37B7 15AF 5DAC 6D74 5A60

$ gpg --verify <(curl -s https://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml.asc) <(curl -s https://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/repodata/repomd.xml)
gpg: Signature made Thu 19 Dec 2024 10:39:36 AM GMT
gpg:                using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: Good signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7051 C470 A929 F454 CEBE  37B7 15AF 5DAC 6D74 5A60