Found a strange gpg-pubkey

Thanks @dcurtisfra for clarifying. Yes, I do read those SDBs before I do a distro upgrade (because I don’t want to break my existing install by missing a step).

Yes, I can understand your uncertainties but, due to licensing issues, we currently need to use the Packman and VLC repositories to deal with Multimedia issues such as MP4 and/or H.264 support.

  • Please be aware that, the H.264 issue is currently being worked for Leap 15.5 by means of a licensing agreement with Cisco.

I even do a zypper patch for weekly updates (in fact I do YaST > Software > Online Update).

This is the new SUSE signing key which was issued because old key expires soon. You will not find it in the Leap repositories because these repositories have been created before this key was issued and repositories are not changed retroactively. As mentioned in this topic, this key is installed with some update (patch) to make sure new packages signed with this key can be verified.

See also Signing Keys - Support | SUSE

Other key is the previous signing key. This is the one present in repositories.

Theoretically you should be able to find this key on PGP keyservers together with signatures (and so establish chain of trust), but I have drastically different results depending on from where I connect.

“, but I have drastically different results depending on from where I connect.”

Ohoh… :open_mouth:

Is that a bad thing?

Not really –

  1. AFAICS, the upgrade to Leap 15.5 will install the new key – at least that’s what my Zypp log seems to indicate.
  2. You can simply delete the key by means of YaST → Repositories → Key Management.
    And then, from a “root” CLI execute “zypper refresh --force” – you’ll notice that, the key has been re-installed – this time with the newest version …

Is there one Tumbleweed/Leap? Or one per country? :face_with_spiral_eyes: