Perhaps I'm missing something... do you have to sign the deb itself or anything in order to upload it? (All the information I've found says you only ever sign the .changes file, which obviously in this case doesn't apply), but surely there's some form of authentication or passphrase checking/etc that I'm missing...