Centos – yum install and update fail – GPG keys listed for the “CentOS-7 – Updates” repository are already installed but they are not correct

I'm stumped by this update killing error.

This error squashes all updates until I disable gpgcheck on the updates repo.
IE /etc/yum.repos.d/CentOS-Base.repo|[updates].gpgcheck=0

It's happening on Every machine I have – I thought at first that it was a 'pet/snowflake' type issue but no, it's affecting the whole herd.

warning: /var/cache/yum/x86_64/7/updates/packages/scap-security-guide-0.1.36-9.el7.centos.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f533f4fa: NOKEY
Public key for scap-security-guide-0.1.36-9.el7.centos.noarch.rpm is not installed
scap-security-guide-0.1.36-9.el7.centos.noarch.rpm                               | 4.4 MB  00:00:03
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

The GPG keys listed for the "CentOS-7 - Updates" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.


 Failing package is: scap-security-guide-0.1.36-9.el7.centos.noarch
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
shows the correct fingerprint.

diff says /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 and
http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7 match.

file says /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 is PGP public key block.

stat says it's a regular file.

ls -lZa /etc/pki/rpm-gpg/ shows all files owned by root:root with security Context: system_u:object_r:cert_t:s0

lsattr /etc/pki/rpm-gpg/ shows no attributes set.

No errors have been reported for the disk.

There's no memory nor record of any other update failing since the OS was installed in 2016.

The package's URL is http://mirror.centos.org/centos/7.5.1804/updates/x86_64/Packages/scap-security-guide-doc-0.1.36-9.el7.centos.noarch.rpm

yum provides scap-security-guide says:
scap-security-guide-0.1.36-9.el7.centos.noarch
is in
Repo : updates

/etc/yum.repos.d/CentOS-Base.repo (excerpt)
[base]
name=CentOS-$releasever – Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever – Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

/etc/yum.conf
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

# Added after installing deltarpm
deltarpm=-1

After rebooting, I ran
yum clean all which cleaned all active repos: base epel extras mariadb psychotic updates
followed by
rm -rf /var/cache/yum
before re-running yum update
It threw the error again and continues to do so

Centos 7.4
Centos 7.5