'baseos': repomd.xml GPG signature verification error: Bad GPG signature after upgrade to 9.7

Mark-2 · January 14, 2026, 5:56am

Hello,
I just update one of the Rocky Linux from 9.6 to 9.7 last week. Then today I would install some more packages then find this error.

Rocky Linux 9 - BaseOS 935 B/s | 833 B 00:00
Rocky Linux 9 - BaseOS 1.7 MB/s | 1.7 kB 00:00
Rocky Linux 9 - BaseOS 4.5 kB/s | 833 B 00:00
Error: Failed to download metadata for repo ‘baseos’: repomd.xml GPG signature verification error: Bad GPG signature

Checked the Keys in the box is using the one end with 275D
Rocky Linux 9 - BaseOS
Importing GPG key 0x350D275D
Userid : “Rocky Enterprise Software Foundation - Release key 2022 releng@rockylinux.org”
Fingerprint : 21CB 256A E16F C54C 6E65 2949 702D 426D 350D 275D
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9

For quick win, I disable gpgcheck and can install the packages. Do anyone face the same problem as me ?

iwalker · January 14, 2026, 8:21am

Can you perhaps try:

dnf clean all
dnf update

Mark-2 · January 14, 2026, 10:47am

Hello iwalker

I had tried before create the post, but no luck

R_O_C_K_Y_L_I_N_U_X · January 14, 2026, 2:57pm

I asked Google Gemini about this, and it suggests two possibilities:

Incorrect System Time
GPG signature verification is highly sensitive to time. If your system clock is significantly ahead or behind the actual time, the signature might be flagged as “expired” or “not yet valid,” which can sometimes manifest as a “Bad GPG signature” error.

Check: Run date to see if your system time is accurate.

The Fix: Ensure chronyd or systemd-timesyncd is running to keep your clock in sync.
Man-in-the-Middle (MITM) or SSL Inspection
You mentioned DNS/Communications. While DNS itself usually doesn’t cause a signature mismatch, Transparent Proxies or SSL Inspection firewalls (common in corporate environments) can.

The Scenario: If a network appliance intercepts the traffic and attempts to “re-sign” or modify the headers/content of the metadata download, the GPG check will fail because the file has been altered.

The Scenario: A “Captive Portal” (like at a hotel or airport) might be redirecting the request to a login page. DNF downloads the “Login Page” HTML instead of the XML metadata, causing a signature mismatch.

Could either of those apply to your error?

Tony

Mark-2 · January 15, 2026, 1:21am

Hello Tony,
Server in sync with ntp so we eliminated the issue for incorrect time
and yes, the linux box is behind a proxy, so I switched to another one and everything’s working perfectly now.

Thanks a lot for your help and advice!

Thanks for your help and advise.

Topic		Replies	Views
Repo 'appstream': repomd.xml GPG signature verification error Rocky 9.5 Rocky Linux Help & Support rocky-linux-9	2	267	March 30, 2025
Bad GPG signature on Rocky 8 BaseOS/AppStream repos Rocky Linux Help & Support	5	408	February 17, 2025
Repomd.xml signing not in sync Infrastructure	1	655	August 25, 2023
8.7/extras / signed repomd.xml Infrastructure	1	445	August 25, 2023
Anydesk dnf - Error: Failed to download metadata for repo 'anydesk': repomd.xml GPG signature verification error: Bad GPG signature Rocky Linux Help & Support rocky-linux-9	3	1429	July 16, 2024

'baseos': repomd.xml GPG signature verification error: Bad GPG signature after upgrade to 9.7

Related topics