remember repo signing keys to make TOFU in swap

Since the swap procedure is meant to be a transient experience, swap repos are not saved like normal, static repos are. But I think it still makes sense to have some kind of TOFU as part of the swap procedure which would mostly be about saving the swap repo signing key, then using that as a marker that that particular swap repo had been seen before.

For swap repos that have been seen before, we could eliminate some clicks. For example, with a swap repo that has been seen before, there would be no need for the "do you want to get apps from 10.0.2.16 now?" prompt. The only downside to this system that I see is that we then have to provide a UI to let users remove any repos that they no longer want to trust.

@n8fr8 @pserwylo @crwinfrey any thoughts?