Tumbleweed Prompts for new trusted source?

HEllo, Hopefully a quick question

Been running for a long time, today during updates, I get prompted to trust a new source - the packagekit project.
I guess the first questions are
should I trust it?
why would I get a new source?
Do I need to do anything different?

Kilbert@linux-f5tb:~> zypper lr
Repository priorities are without effect. All enabled repositories share the same priority.

#  | Alias                               | Name                        | Enabled | GPG Check | Refresh
---+-------------------------------------+-----------------------------+---------+-----------+--------
 1 | Libdvdcss                           | Libdvdcss                   | Yes     | (r ) Yes  | Yes    
 2 | Plex                                | Plex                        | Yes     | ( p) Yes  | Yes    
 3 | PlexRepo                            | PlexRepo                    | No      | ----      | ----   
 4 | http-download.opensuse.org-9d6a228c | KDE:Extra                   | Yes     | (r ) Yes  | Yes    
 5 | openSUSE-20160720-0                 | openSUSE-Tumbleweed-oss     | Yes     | (r ) Yes  | Yes    
 6 | packman                             | packman                     | Yes     | (r ) Yes  | Yes    
 7 | repo-debug                          | openSUSE-Tumbleweed-Debug   | No      | ----      | ----   
 8 | repo-non-oss                        | openSUSE-Tumbleweed-Non-Oss | Yes     | (r ) Yes  | Yes    
 9 | repo-source                         | openSUSE-Tumbleweed-Source  | No      | ----      | ----   
10 | repo-update                         | openSUSE-Tumbleweed-Update  | Yes     | (r ) Yes  | Yes  

thanks
JOhn KIlbert

Please show the output:

zypper ref

Thanks

linux-f5tb:/home/Kilbert # zypper  ref
Repository 'Libdvdcss' is up to date.                                                                                                                                        
Repository 'Plex' is up to date.                                                                                                                                             
Repository 'KDE:Extra' is up to date.                                                                                                                                        
Retrieving repository 'openSUSE-Tumbleweed-oss' metadata ..............................................................................................................[done]
Building repository 'openSUSE-Tumbleweed-oss' cache ...................................................................................................................[done]
Retrieving repository 'packman' metadata ..............................................................................................................................[done]
Building repository 'packman' cache ...................................................................................................................................[done]
Repository 'openSUSE-Tumbleweed-Non-Oss' is up to date.                                                                                                                      
Repository 'openSUSE-Tumbleweed-Update' is up to date.                                                                                                                       
All repositories have been refreshed.


no change

image

http://imgur.com/OmTUffL

thanks!

looks like it already has auth?

Kilbert@linux-f5tb:~> egrep "(SECURITY|POLKIT_DEFAULT_PRIVS)" /etc/sysconfig/security
PERMISSION_SECURITY="easy local"
# PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
POLKIT_DEFAULT_PRIVS=""
Kilbert@linux-f5tb:~> grep system-sources-refresh /etc/polkit*
grep: /etc/polkit-1: Is a directory
/etc/polkit-default-privs.restrictive:org.freedesktop.packagekit.system-sources-refresh               auth_admin_keep_always
/etc/polkit-default-privs.standard:org.freedesktop.packagekit.system-sources-refresh               auth_admin_keep_always:no:yes
Kilbert@linux-f5tb:~> sudo grep -RA1 system-sources-refresh /etc/polkit-1/
[sudo] password for root: 
/etc/polkit-1/rules.d/90-default-privs.rules:           'org.freedesktop.packagekit.system-sources-refresh':
/etc/polkit-1/rules.d/90-default-privs.rules-                    'auth_admin_keep', 'no', 'yes' ],
Kilbert@linux-f5tb:~> loginctl
   SESSION        UID USER             SEAT            
         1       1000 Kilbert          seat0           

1 sessions listed.
Kilbert@linux-f5tb:~> pkaction --action-id org.freedesktop.packagekit.system-sources-refresh --verbose
org.freedesktop.packagekit.system-sources-refresh:
  description:       Refresh system sources
  message:           Authentication is required to refresh the system sources
  vendor:            The PackageKit Project
  vendor_url:        http://www.packagekit.org/
  icon:              package-x-generic
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   yes




Looks like pacman may have been compromised.
A system wipe maybe required.

http://imgur.com/x9vH95O

http://imgur.com/x9vH95O

No certs expire all the time I doubt a compromise

wrong digest

"the expected checksum of the file…is … but the correct checksum is… the file may have been cjanged by an attacker since the repository creator signed it…"etc

nowhere does it say the certs expired, i have seen that error many times, never saw this one.

Could just be bad file on a mirror. try another mirror if still bad then report to packman