I talked to my colleages and basically have three answers/ideas for you:
-
Releasefiles from upstream have never been signed in pulp2. It is not possible as you cannot change the Release file and the sign it with the upstream priviate key. - You can sign the
Releasefile using your own private key. See Signing metadata in pulp3. - You can tell the apt clients that consume content to not verify the signature.