The objective with adding a third party repository key IIUC, would be to not need to prompt about installing from unauthenticated sources if they're installing from a third-party repo; so the fdroid key for the APKs that they or a CDN host would be verifiable.

It would be good to scan the sources with SAST and DAST and scan the APKs once they're built too.