Hello,

yesterday zypper complained about new package signing keys for:

However, I could not find a place to verify that the key shown to me (and which I guess should have corresponded to one of 

gpg-pubkey-3dbdc284-53674dd4.asc

gpg-pubkey-39db7c82-5f68629b.asc

gpg-pubkey-307e3d54-5aaa90a5.asc

found in the repository) was legit. Are there announcements about key rotations?

Is there a secondary source where the signing keys are published other than the repo itself which is asking me about accepting its own new keys?

What do "307e3d54" and "5aaa90a5" in gpg-pubkey-307e3d54-5aaa90a5.asc mean, as it does not seem to be related to the key fingerprint ?

The fact that half of my repos were added with HTTP by default (1-click-installs etc) and that I could not readily verify if new keys are legit defeats a lot of the purpose of having signed packages.

Regards,