zypper and gpg key handling

Hi there,
some questions about how zypper handles gpg keys.

Does zypper give a clear message, if for whatever reason a new repomd.xml.key is downloaded from the repo? Or does it go unnoticed? So, if a new key for an existing repo wants to be installed, does zypper ask for permission 1st?

And, does the OBS enforce, all repomd.xml.key keys are signed with the openSUSE Build Service key before uploading, to make it impossible to install a repomd.xml.key that is not signed with the Build Service key?

I have never noticed this. But probably a change of keys is not usually done. A key might be updated (expiry date changed) but it is basically the same key.

When adding a new repo, I am prompted to approve the key (unless it uses an existing key).

And, does the OBS enforce, all repomd.xml.key keys are signed with the openSUSE Build Service key before uploading, to make it impossible to install a repomd.xml.key that is not signed with the Build Service key?

I don’t thinks so. In my experience, it only requires that the rpm software has the key in its database.

I also have rarely noticed when a repo key changes (only when a problem happens which has been usually due to lack of maintenance).
I’d always assumed (possibly incorrectly) that the keys would be issued by a trusted upstream CA or similar, which should enable seamlessly trusting a replacement key.

TSU