What do you think of disabling installation of unsigned images entirely by default?
The motivation is that there are two types of people, those who always verify signatures, and those who don’t yet know they should. Disabling it could enhance security and promote the use of public key cryptography.
It would be a good idea to also provide an easy way of adding new trusted keys through the usual config mechanism, as building custom images is a valid use case. Something like “set system crypto trusted-keys key /config/auth/mycompany.gpg”.