Comment 20 for bug 1943833

> Hi Mario, Could you share the command to verify?
$ jcat-tool info firmware.xml.gz.jcat --public-keys /etc/pki/fwupd-metadata/ --verbose

Compare the sha1/sha256 output from this to:
$ sha1sum firmware.xml.gz.jcat
$ sha256sum firmware.xml.gz.jcat

Then run this and make sure it passes:
$ jcat-tool verify firmware.xml.gz.jcat --public-keys /etc/pki/fwupd-metadata/ --kind pkcs7 --verbose

If that passes run this:
$ jcat-tool verify firmware.xml.gz.jcat --public-keys /etc/pki/fwupd-metadata/ --kind pkcs7 --verbose

> A quick cross-check, the file in ~/cache/fwupd/remotes.d/lvfs is the same if I compare the one downloaded by plasma-discover and "fwupdmgr refresh"

Good, so we don't have a downloader problem most likely.

>One thing I can see is: new code just use fwupd_client_get_remotes_async, while old code seems download file and call fwupd_client_update_metadata.

But in both cases it's using daemon and libjcat to do the verification. I think we need to fixate on the downloaded files to see what makes them complain from libjcat.