When try to downgrade VyOS from the rolling version to stable, as an example to 1.2.6 we got a a confusing issue.
vyos@R2-QAT:~$ add system image https://cdn.vyos.io/1.2.6-S1/xxx/vyos-1.2.6-S1-amd64.iso Trying to fetch ISO file from https://cdn.vyos.io/1.2.6-S1/xxx/vyos-1.2.6-S1-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 409M 100 409M 0 0 10.4M 0 0:00:38 0:00:38 --:--:-- 10.0M ISO download succeeded. Checking for digital signature file... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 833 100 833 0 0 2953 0 --:--:-- --:--:-- --:--:-- 2943 Found it. Checking digital signature... gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: keyblock resource '/etc/apt/trusted.gpg': No such file or directory gpg: assuming signed data in '/var/tmp/install-image.12936/vyos-1.2.6-S1-amd64.iso' gpg: Signature made Sun 27 Sep 2020 10:19:27 AM UTC gpg: using RSA key 0694A9230F5139BF834BA458FD220285A0FE6D7E gpg: Can't check signature: No public key Signature check FAILED. Do you want to continue anyway? (yes/no) [no]
May be will suitable to add trusted.gpg to rolling to prevent this