Leap 15.2 blocks loading of modules which are not signed by a trusted key
(which is an entirely reasonable policy)[1], however this means that if you
wish to use modules which are built and signed by OBS it is now much more
complicated.

Unlike modules compiled locally, OBS manages the signing keys (and rotates them
fairly frequently) meaning that your system may end up failing to boot cleanly
after a routine system update. In addition, you'd need to do the following in
order to fix the issue:

 % osc signkey <project> --sslcert > cert.pem
 % openssl x509 -inform PEM -in cert.pem -outform DER cert.der
 % mokutil --import cert.der

And then reboot and enroll the key. In fairness this is technically documented
in [2] but I doubt most users would be able to get to that point (not to
mention I think OBS has changed their interface so downloading the project
signing key is a little more hidden now).

Is it possible for this process to be more automated -- ideally such that key
rotations are handled automatically by either zypper (since this is a problem
that affects all kernel modules signed by OBS) or by the individual packages?

For a concrete example of this problem, I just upgraded from Leap 15.1 to the
15.2 beta and my system was fairly broken because ZFS wouldn't load (as well as
wireguard -- though luckily that is in the Leap kernel package now). I've
imported the filesystems key into the MOK, but that key expires in November
2020 and I guarantee I'm going to forget about this hack and will need to
re-troubleshoot why my box was broken after a reboot.

[1]:
https://doc.opensuse.org/release-notes/x86_64/openSUSE/Leap/15.2/#sec.driver.sig
[2]:
https://en.opensuse.org/openSUSE:UEFI#Booting_a_kernel_from_Kernel:stable_repository