Zypper just reminded me of the suboptimal handling of repo keys when asking to use a new key for X11:Utilities…
Why don´t use use keys with 10 years validity for the primary key and signing subkeys with, let´s say 2 years vaildity? This way keys just need an update -that could be made seamless- and not installing a totally new key with no trust.
With a longterm running key and signing subkeys you rely on TOFU just once when adding a repo, the way you handle it, I have to trust a new key every 2 years. A completely new key should be issued only in few special cases IMHO.