I created a new virtual repository with the following configuration:
When examining the metadata however, it is signed by the key specified:
That key is the signing key of one of the virtual repo members. Specifically it's the CentOS Official Key as documented on this page:
So it would seem that Artifactory is not signing that repository's metadata with the signing key it was configured to sign it with. That of course means the client fails GPG validation of the repo metadata when they are configured to use the specified public key in their repo definition.