I have been using Webmin for at least the past 20+ years (!) and ran up against the SHA1 error on the Webmin RPMs when upgrading to Fedora 38, which did not permit it to be added/updated any more..

# rpm -q webmin
error: Verifying a signature using certificate XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (Jamie Cameron <jcameron@webmin.com>):
Key XXXXXXXXXXXXXXXXXXX invalid: not signing capable
error: rpmdbNextIterator: skipping h# 9083
Header V4 DSA/SHA1 Signature, key ID XXXXXXXX: BAD
Header SHA1 digest: OK
package webmin is not installed

There were several posts that insisted that the problem was ‘solved’, but I still kept getting the same error..   After more research, it turned out that this was because the old/bad SHA1 key was still in the system, and needed to be removed, and also the old/bad SHA1 repo was still in existence..

To find/erase the old/bad key:

# rpm -q gpg-pubkey --qf ‘%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n’

– this will show all the keys on your system, and you need to look for the one from ‘jcameron@webmin.com’

………….‘gpg-pubkey-11f63c51-3c7dc11dtJamie Cameron <jcameron@webmin.com> public keyn’………..

Then use the key ID to get rid of it (ignore the ‘t’ between the key and the name/email)

rpm -e gpg-pubkey-11f63c51-3c7dc11d

Then edit the repo info in /etc/yum.repos.d/webmin.repo to reference the ‘new/good’ repo:

[webmin-noarch]
name=Webmin - noarch
baseurl=https://download.webmin.com/download/newkey/yum
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-webmin-developers
gpgcheck=1

Then add the new/good key:

# wget https://download.webmin.com/developers-key.asc
# rpm --import developers-key.asc

Then # dnf clean all

# rpm -q webmin
webmin-2.100-1.noarch

Thanks to Hilario_Fochi for the key removal details:
Original article thread:
https://forum.virtualmin.com/t/error-gpg-check-failed-unable-to-install-on-fedora-38/120374/14

Robert Gadsdon.   August 1st 2023.