This will need some more investigation, and I need to get the build key (0D210A40). Authority for the trusted gpg keys is the rpm database, so the zypp trusted keyring must be in sync with the keys stored in the rpm database (the gpg-pubkey pseudo packages). > [zypp] RpmDb.cc(syncTrustedKeys):966 Going to sync trusted keys... > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-0d210a40-581257c6 R_ > ^^^^^^^^^^^^^^^^^ > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-307e3d54-4be01a65 R_ > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-3dbdc284-53674dd4 R_ > [zypp] RpmDb.cc(syncTrustedKeys):970 Rpm keys to export into zypp trusted keyring: 3 > [zypp] RpmDb.cc(syncTrustedKeys):971 Zypp trusted keys to import into rpm database: 0 > [zypp] RpmDb.cc(syncTrustedKeys):977 Exporting rpm keyring into zypp trusted keyring The initial sync finds key 0d210a40 (creation time -581257c6) int the rpm database. After import into the gpg keyring, the creation time changed to '-581257c7': > Found keys: { > [20F8C4F40D210A40-581257c7] [KDE:Extra OBS Project <KDE:Extra@build.opensuse.org>] > ^^ > [B88B2FD43DBDC284-53674dd4] [openSUSE Project Signing Key <opensuse@opensuse.org>] > [E3A5C360307E3D54-4be01a65] [SuSE Package Signing Key <build@suse.de>] > } It almost looks like the key in PKs trusted zypp keyring (from a previous sync) is 1 second newer than the one now in the rpm database. This is where the trouble starts. > [zypp++] RpmDb.cc(updateIf):909 Old key in Z: gpg-pubkey-0d210a40-581257c6 > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-0d210a40-581257c7 _Z > in Zypp but not in Rpm: ^^ ^^ > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-307e3d54-4be01a65 RZ > [zypp++] RpmDb.cc(computeKeyRingSync):946 gpg-pubkey-3dbdc284-53674dd4 RZ PKs attempt to remove ....c7 from the keyring is correct. But it also leads to removal of the older ....c6 in the rpm database, which is a zypp issue (no matter if the 1 second difference is real (2 keys) or due to rpm/zypp/gpg compute the creation time differently). Anyway, these key handling details are nothing PK should care about. I'll add some method to target->rpmDb(), which will load the rpmdb trusted keys in manner sufficient for this usecase. Then you will just have to call this methods and the details go into libzypp.