Header V3 RSA/SHA1 Signature, key ID d651ff2e: BAD

ok I found the solution

after read these two articles

so seems It’s the crypto-policy disallowing SHA-1 and just running sudo update-crypto-policies --set DEFAULT:SHA1 or sudo update-crypto-policies --set LEGACY fixes the problem.

now, how we query the rpm key
rpm -qa --qf "%{name}-%{version}-%{release}.%{arch} %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n"

if we grep by key id or by SHA1 we will find the packages with weak sign

rpm -qa --qf "%{name}-%{version}-%{release}.%{arch} %|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{(none)}|}|\n" | grep SHA1

More info:

If you see lines like these:

error: rpmdbNextIterator: skipping h# 2525

then some of your packages are affected. You can use the number you see at the end of each such error (in this case 2525) to figure out which package it is:

$ rpm -q --nosignature --querybynumber 2525