Yum proxy modifies repomd.xml which causes signature verification to fail

I’m using Podman to run Nexus via the sonatype/nexus3:3.22.1 image. I have a Yum proxy repository to a remote that includes a valid signature (repomd.xml.asc) and public key (repomd.yml.key) for the repository metadata (repomd.xml). All is well when using the remote directly (i.e., zypper is able to verify signatures), but when using the nexus-proxy proxied repository zypper ref reports that repomd.xml has been modified after it was signed:

# zypper ref -r nexus-proxy
Retrieving repository 'nexus-proxy' metadata ------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'nexus-proxy'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'nexus-proxy'. Continue? [yes/no] (no):

If GPG checks are disabled, zypper obvioulsy doesn’t complain and happily pulls packages through the proxy.

Diffing the remote repomd.xml (remote-repomd.xml) against the proxied one (repomd.xml) gives:

# diff remote-repomd.xml repomd.xml
< <?xml version="1.0" encoding="UTF-8"?>
< <repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
> <?xml version="1.0" encoding="UTF-8" standalone="no"?><repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
< </repomd>
> </repomd>
\ No newline at end of file

Clearly repomd.xml is not the same, but the only differences appear to be standalone="no" and missing newlines. Is this expected behavior?

Going further, the signature (and public key) obtained from the proxy is valid on the remote repomd.xml but not-valid on the proxy’s repomd.xml:

# gpg2 -k
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
# gpg2 --import repomd.xml.key 
gpg: key 70AF9E8139DB7C82: public key "SuSE Package Signing Key <build@suse.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg2 --verify repomd.xml.asc remote-repomd.xml 
gpg: Signature made Wed 08 Jan 2020 04:07:18 PM UTC
gpg:                using RSA key 70AF9E8139DB7C82
gpg: Good signature from "SuSE Package Signing Key <build@suse.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FEAB 5025 39D8 46DB 2C09  61CA 70AF 9E81 39DB 7C82
# gpg2 --verify repomd.xml.asc repomd.xml 
gpg: Signature made Wed 08 Jan 2020 04:07:18 PM UTC
gpg:                using RSA key 70AF9E8139DB7C82
gpg: BAD signature from "SuSE Package Signing Key <build@suse.de>" [unknown]

Disabling GPG checks at the client is not an appropriate workaround for my use-case. Is Nexus unable to proxy Yum repositories with metadata signatures and keys without disabling GPG checks?

I ended up working around this issue by using raw proxy repositories. I get the impression that this is an understood limitation with yum proxies and using raw proxies is the right solution; but then, no one responded to this discussion pointing that out. It seems to me that Nexus should handle metadata signatures for proxy repositories, either by not modifying the metadata, not proxying the signatures, or by producing new signatures. What do other people think? Should I open an issue?