In the case where the key distributed with the metadata is a
public signature-verification key, it is acceptable,
desirable and conventional to sign the metadata using the
corresponding private key. This is common practice for X.509
certificates. In addition, it allows the integrity of the
metadata to be confirmed using an out-of-band "digest".
It shouldn't be mandatory to use the same key, since that basically only
permits point to point trust.
As currently required, the integrity of the metadata has to
be protected with a separate key. Presumably, it too has
associated metadata that has to be distributed, protected
with another key, which (in-turn) has metadata. Allowing the
enclosed key to confirm the integrity of the metadata, breaks
PKI always has an arbitrary stopping point somewhere. It's ok to allow it to
be self-signed, but we shouldn't insist on it.