Comment # 22 on bug 906589 from Michael Andres

(In reply to grant k from comment #21)
> so, WHY is that repo getting a "New repository or package signing key" ?

Authority for trusted keys on your system is the rpm databbase, 
namely the gpg-pubkey (pseudo) packages. (rpm -qai gpg-pubkey)

> New repository or package signing key received:
>  Repository:       MediaApps          
>  Key Name:         multimedia OBS Project ....
>  Key Fingerprint:  01FB54D4 EAF87B0F 5624266B 5F3D540F 3A802234          
>  Key Created:      Wed 21 May 2014 02:04:08 PM PDT                       
>  Key Expires:      Fri 29 Jul 2016 02:04:08 PM PDT                       
>  Rpm Name:         gpg-pubkey-3a802234-537d14c8                          

The fingerprints last 8 byte make the gpg-pubkey packages version.

The key is known and trusted if we have gpg-pubkey-3a802234 in the rpm
database.
If the rpm data base does not contain gpg-pubkey-3a802234, the key is NEW and
you are asked to confirm it. If you accept the key it is imported into the rpm
database. After this, gpg-pubkey-3a802234 is present and you don't have to
confirm it again, until it is removed from the rpm database (rpm -e
gpg-pubkey-3a802234).

If the server side did not change, the key was most probably not in the rpm
database (or you accidentally used the sed-patched libzypp with gpg-2.0.x).
A zypper.log could tell...