Example 1)
==========

The sha256 checksum of the package libnvme-1.0-4.el9.i686.rpm present in the CentOS 9 Stream "Appstream" repository does not match the sha256 checksum listed for that package in the metadata.

Expected checksum: 6a597f88ec5aa7d6c61393b9ea5ce814be42b983418bcd1a3a992c51c6257872
Actual checksum: df155f1a8ac42fa1be144c73f22b00e0968e0b09208008ae285eac0e8342bcd9

File located here: http://mirror.stream.centos.org/9-stream/AppStream/x86_64/os/Packages/libnvme-1.0-4.el9.i686.rpm

Excerpt from the Appstream primary.xml metadata:

{{<package type="rpm">
<name>libnvme</name>
<arch>i686</arch>
<version epoch="0" ver="1.0" rel="4.el9"/>
<checksum type="sha256" pkgid="YES">6a597f88ec5aa7d6c61393b9ea5ce814be42b983418bcd1a3a992c51c6257872</checksum>}}

Example 2)
=========

The .treeinfo (kickstart) metadata file in the Centos 9 Stream "Baseos" repository lists the following files

{{[checksums]
images/boot.iso = sha256:008c51f52ae5e129f46ffcab67947f3380fbc80cd6e400f26175635b69158e1c
images/efiboot.img = sha256:73ce169a73b02238746548134a5d2946013ecbece1f003792bc4a4a374d97bce
images/install.img = sha256:909d419ba84c161f0ffba74f99478584d7a2ed94945b9f05458a21e2629eadd9
images/pxeboot/initrd.img = sha256:be9aa50b85ca2bda3a73ea823d104e60e0dc686feca83946bf374fd127a81956
images/pxeboot/vmlinuz = sha256:5bb7081b636c70b2687278fa08ed97b7a2df6bec86146224e8d20e8b8928cb08}}

The checksum for images/install.img doesn't match

{{[dalley@thinkpad Downloads]$ sha256sum install.img
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 install.img}}

====

There are potentially others, I just stopped looking after finding 2