You wonder why zypper or YaST do ask you to accept new keys for
some repositories atm ?
Please read this mail in this case.
The repositories on opensuse.org below the
http://download.opensuse.org/repositories/
directory get currently new GPG keys which are use to sign the repository
meta data and the packages. The reason behind this is to increase the security
for you and your system. Repositories inside of this directory are created by
the openSUSE build service packagers. Everybody can go to
http://build.opensuse.org
and get at least an own home:<login> project where you can build and publish
packages. But also all other projects have different owners, this means
people who have write permissions there.
As a consequence of this openess of the build service, users should have
the possibility to decide whom to trust and whom not. This is easy possible
by adding or not adding/removing repositories.
However, rpm and package managers do use gpg keys to support users in this
approach. These tools use them to verify that a certain repository and each
package does indeed come from a certain person or group.
In the past, all build service repositories were signed with the same key.
This means that a user was able to allow or disallow repositories, but the
the tools did not help or even checked this. This approach was therefore not
save against attacks.
We use from now on own keys per top-level project. Users can decide to accept
certain keys or not. Packagers will get an API interface to manage these keys
in near future to some degree.
These keys are auto generated by the build service and report to come from
KDE OBS Project