Hello, yesterday zypper complained about new package signing keys for: [http://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/](https://download.opensuse.org/repositories/openSUSE:/Tumbleweed/standard/) However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of gpg-pubkey-3dbdc284-53674dd4.asc gpg-pubkey-39db7c82-5f68629b.asc gpg-pubkey-307e3d54-5aaa90a5.asc found in the repository) was legit. Are there announcements about key rotations? Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys? What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ? The fact that half of my repos were added with HTTP by default (1-click-installs etc) and that I could not readily verify if new keys are legit defeats a lot of the purpose of having signed packages. Regards, -- Hector