The checksums will be here and committed by those of us with GPG keys that have rockylinux.org / resf.org email addresses. The reason why we don’t have CHECKSUM.sig anymore for 9 is because of the new build system and how keykeeper works. For security reasons, we decided that we wouldn’t allow signing files adhoc outside of the build system and instead provide a git repo and a mirror of it with signed commits of the checksums.
There was another poster who actually brought this up initially since our website nor documentation pointed out the CHECKSUM.sig files to begin with. We ultimately decided that using a git repo (and linking it to our website’s download page, coming soon) would make a bit more sense.
While this is mostly for mirrors or those who are curious/explorers into the repository structure of Rocky Linux, we explain it a bit in our metadata README since we knew these questions would arise.
When we get 8 into the mix of the new build system, the same thing will likely occur where there is no longer CHECKSUM.sig files, but that is down the road.
You don’t have to ignore the checksum file in the links actually. The checksum files are there for the users to validate what they’ve downloaded is correct, which is why we provide the links on the download page.
Where the repository comes in is for us to have a secondary spot where these checksums exist, so if a user is concerned or paranoid, they can check this repository, verify the signed commits and the checksums provided. For most users this won’t be necessary, but there are some folks who want to really double check what they’ve downloaded from us or a mirror to ensure image integrity.