Many thanks for helping me !
The auto-sign feature was a scenario that would make sense to get the private key for. However, I just double checked, but download an uploaded unsigned .deb file still yields an unsigned .deb file. I’ve downloaded it straight from the ui. Not via apt (firewall issues). Maybe that’s the problem ?
For the key setup I’ve copy/pasted into the signing key field:
-----BEGIN PGP PRIVATE KEY BLOCK-----
-----END PGP PRIVATE KEY BLOCK-----
And put the passphrase into the passphrase field. I don’t see any errors in the log, so I assume this is the correct setup. Or is it ?
As for the other question, this is about the public key people need to import for the packages to be installed. Isn’t the usual location at the root path, named KEY.gpg ? I might be wrong there though.