Comment # 2 on bug 1120838 from Ignaz Forster

The problem is that the repository keys are stored in the RPM database - which
is located on the read-only root file system.

For the time being I'd recommend to select "trust temporarily" instead of
"trust always" - this will avoid the error message (though the repository data
will be refreshed in any case as you also noted).

The repository key can be added permanently by:
* Installing a package in interactive mode (only works if autorefresh is
enabled for this repository AND transactional-update is the first command to
refresh the repository, i.e. don't call `zypper ref` manually)
* Setting ZYPPER_AUTO_IMPORT_KEYS to '1' in /etc/transactional-update.conf (not
generally recommended for security reasons)
* Calling `transactional-update shell` and adding the repository in there
(requires a reboot)

I'm sorry for this limitation: the repository handling is the last major
nuisance in my eyes, but unfortunately I wasn't able to find a good solution
for this yet. In practice I tend to just add the repository and call an
interactive transactional-update command immediately afterwards (the first
option of the list).