Consider using encryption to implement pre-upload QA

The currently envisioned way of doing pre-upload QA involves a workflow that calls back into the user (or the user polls it) to supply a signature once QA passes. This has two disadvantages. For one thing, the user has to interact with the QA system at two times and for another, what is being signed is presently originating from the remote system and thus could be modified in theory.

In principle, it would be nice to sign a .changes file in such a way that the Debian archive accepts it if the signature is augmented by debusine to state that QA passes. Ansgar suggested a different mechanism to achieve the same property. The workflow would consume two .changes files. An unsigned one (as before) and additionally the same .changes file with an inline signature encrypted to a key that is private to the debusine instance. The encrypted file would be useless to everyone but debusine. Once QA passes, it could decrypt and upload it.

If choosing this route, the signing service will have to learn about encryption keys (and implement a decrypting work request). Additionally, the the signature (that is done ahead of building) cannot reference a buildinfo file.

Please figure out whether this approach is a sensible alternative. If not, please close the issue.