Description of problem: Subscription-manager sets gpgcheck to 1 if a gpg key is assigned to a repository which means checking of repository metadata and packages for SLES. With latest versions of the subscription-manager this can be overriden by setting gpgcheck to 0 in /etc/rhsm/zypper.conf but this means no checking at all. Having a gpg key assigned to a repository means in real that packages are signed but not the repository metadata, so for zypper it would be the setting pkg_gpgcheck = 1 instead of gpgcheck = 1. As a workaround you can override it at the moment by setting repo_gpgcheck = 0 because of the already set gpgcheck = 1 (subscription-manager repo-override --repo=REPONAME --add=repo_gpgcheck:0). Version-Release number of selected component (if applicable): subscription-manager 1.23.3-4.1.suse1315 and 1.28.0-1 tested How reproducible: Same behaviour with all versions, except override from zypper.conf is only available in latest versions ("fix" from https://bugzilla.redhat.com/show_bug.cgi?id=1764265). Steps to Reproduce: 1. Upload a GPG key as Content Credential 2. Create a SLES product and assign the GPG key 3. Create a Repository 4. Register a SLES system so it gets access to the repository 5. Ensure the system wants to GPG check for the repository (zypper lr) 6. Ensure the system needs to get the latest metadata (zypper clean --all) 7. Download the latest metadata (zypper ref) and it will complain about unsigned metadata Actual results: You need to accept unsigned metadata manually or via cli parameter, alternative is only disabling gpg checking at all or use subscription-manager repo-override. Expected results: Only pkg_gpgcheck is set to 1 or additionally repo_gpgcheck is to 0, so zypper does not expect and so not complains about unsigned metadata. Additional information: https://bugzilla.redhat.com/show_bug.cgi?id=1764265 brought the workaround with zypper.conf to override gpgcheck to "solve" this problem