I got the "old" signkey with following command: $ osc signkey --sslcert openSUSE:Maintenance:13552 The valid date starts from "Jan 8 16:25:54 2020". Do we already migrate to the rotated signkey? A possible situation is that the signature was generated with the new key but the old cert was attached, so shim failed to verify the signature with the old cert. Have to disassemble the signature to confirm it...