Fix scripted debian repository signing

[marmarek]

Background

Our infrastructure allow to migrate packages from testing to stable repository using signed comment in updates-status repository. This works well for Fedora repositories, where only packages are signed, but repository metadata not - so migrating a package doesn't need access to a signing key.
For Debian repositories, it's another story - only repository metadata is signed, so both uploading new package and migrating package require access to a signing key.

Current configuration (linked above) give access to a signing key only after uploading build log. The goal of such configuration is to have some trace what was signed, and even if a build environment got compromised, have (public) evidence that it happened.
This goal is achieved only partially:

• there is no way that key-holding-VM know that what it gets for signing really corresponds to the log just uploaded; this problem is hard on multiple levels, and in case of Debian it's even harder, as the thing being signed (Release file) is only indirectly connected to a package (contains a hash or a file (Packages) containing a hash of actual package...).
• uploading a log give access to a signing key for 5 minutes, without any limit on usage count

But this is still better than giving access to a signing key, without enforcing any trace.

Problem

When just moving packages between repositories, nothing is built. In fact, output from make update-repo-current is also submitted as a "build log", but when it needs an access to a signing key, the log is still not finished. This means that moving Debian package from testing to stable by a comment in updates-status repository does not work without a manual intervention.