For the Subiquity TUI, I would argue that this is working as intended. This could also be the case of a hostile mirror. See also the hoops that the browsers make users jump through before accepting a self-signed certificate.
For autoinstall we need to be able to support what you've done in sources -> localrepokey, so that part is fine.
I think we should mark this Wishlist as I think it's worth thinking about, but we need to make it clear that there is a degree of danger involved and the user shouldn't accept the key lightly.
For the Subiquity TUI, I would argue that this is working as intended. This could also be the case of a hostile mirror. See also the hoops that the browsers make users jump through before accepting a self-signed certificate.
For autoinstall we need to be able to support what you've done in sources -> localrepokey, so that part is fine.
I think we should mark this Wishlist as I think it's worth thinking about, but we need to make it clear that there is a degree of danger involved and the user shouldn't accept the key lightly.