Quoting Christian
All SuSE packages are cryptographically signed with the SuSE build key (build@suse.de). It is automatically installed from the CDs.
But does YOU and Yast check the signature of every package before installing it? Who knows this for sure?
I haven't looked at the code, but the program is supposed to, and a quick google search came up with the following: http://portal.suse.com/sdb/en/2002/05/swiegra_you-gpg.html Which is in regards to gpg being unable to check the signature and refusing to install the package.
In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to install packages that are signed with fully trusted keys, apart from the SuSE key.
What do you mean by fully trusted keys?
By default, only SuSE's gpg keys are trusted. If you have another trusted source that also signs its rpm's, then fou4s can import that key. I'm quite certain that fou4s checks every package, as I've used it to install non-suse packages. It will refuse to do so unless you give it the command line parameter to ignore gpg keys.