Trust mismatches occur when the file size or SHA-256 hash value for a file on the file system no longer matches the information stored for the file in the trust database. Changing a file outside of using DNF can cause a trust mismatch. For example, if a file is installed or updated by using the rpm command directly or when a user or process has changed the file.

To check for trust mismatches on a system, run:

sudo fapolicyd-cli --check-trustdb

The output lists the files where a mismatch occurs and what the mismatch is. For example:

/etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256
/etc/selinux/targeted/policy/policy.33 miscompares: size sha256
/opt/rh/gcc-toolset-12/root/usr/bin/ld miscompares: size sha256
/usr/lib64/gconv/gconv-modules.cache miscompares: size sha256
...

Note that mismatches are expected because the size or content of some files change from the values in the RPM database after certain commands or services are run. Nonetheless, checking for mismatches can help alert you to files that might be in the trust database but which have changed after they were added to the database.