I was adding some non default repos on 15.4 just recently, and zypper ar .... comes up with three fold question on whether to add some gpg key temporary or decline or add permanently or something. some longer key fingerprint is given. how are the users supposed to check? also I still fail to understand where one can actually find this key with a second alternate means, I often try to fetch them from pgp.mit.edu but which is often overloaded and barely gives out suse build infrastructure keys. I often submit suse keys there whenever they are lacking them at mit. anyhow as far as I remember there are some pubkeyfiles in the repo itself where zypper and rpm and whatnot fetch the keys from, but where else are they originally to be found? what would be the primary source for these projects and subprojects and buildinfrastructure etc? is there a pgp keyserver at opensuse actually for all their projects and users and staff keys and so on? what is the way a normal user is to behave with that zypper user dialog or also yast dialogs when adding repos, be it open/suse public pgp keys or others? how are you guys doing this step of establishing and verifying trusts? ty