This is not quite right. Let me take a step back to explain. There are three “types” of release files, commonly found in upstream Debian repositories:
Release
Release.gpg
InRelease
Release is the unsigned release file. Release.gpg is a detached signature file to go with Release. InRelease contains both the release file and the signature in a single file. InRelease files are the preferred best practice format for current APT clients.
What pulp_deb (for Pulp 3) does with these files during sync: If present, all three files are downloaded and stored in the pulp database. However, when publishing a repository within Katello (the repo you and your clients see on your Katello host) none of the downloaded upstream files are used directly. Instead pulp_deb will write an entirely new release file. This new release file cannot use the upstream signature, because it is a different file. It also can’t be signed using the upstream key since pulp_deb does not have access to the upstream (secret) key. That is the whole point of signatures!
What you can do: Have pulp_deb sign the repositories it publishes on your Katello with a secret key that you provide or generate. How to do this (for Pulp 3) is described in the link provided by @maximilian (Pulp_deb for pulp3 in Katello)