Details
Critical Description
Currently, while our packages do have valid gpg signatures, zypper is not automatically installing the key specified in our .repo, which specifies:
gpgkey=http://rc.cloudera.com/sles/11/x86_64/cdh/RPM-GPG-KEY-cloudera
zypper clearly knows about it, as zypper lr 5 4 shows
GPG Key URI : http://rc.cloudera.com/sles/11/x86_64/cdh/RPM-GPG-KEY-cloudera
... but it's not being imported into the rpm database.
Also, it expects the key that signs the repo to be at repodata/repomd.xml.key, and complains loudly that it's not there. That key does get imported into the rpm database if present. I haven't had much time to dig into this and I'm not too familiar with zypper, but a brief naive look at the source for libzypp shows that that path is hardcoded, and it looks an awful lot like it expects the same key that's used to sign the repo to be used to sign packages.
TL;DR: zypper isn't finding our package signing key. Putting it at repodata/repomd.xml.key might solve the problem. Someone who knows sles should look into it.