The gpg public key used for the extras repository does not meet all requirements of the default crypto-policy. When importing the gpg key, the following warning is emitted:

warning: Certificate 1FF6A2171D997668:
  Policy rejects subkey 8B5C8111FCA5D0FF: Policy rejected non-revocation signature (PrimaryKeyBinding) requiring second pre-image resistance 

This can be reproduced by either directly importing the gpg key using

rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-Extras

or installing first package part of the extras repository causing dnf to ask about importing the gpg key.

This is only a warning, everything still works as expected. This warning, especially for a gpg key provided directly by the system, could confuse some users.