sourcehut job service: sign APKINDEX with persistent key

Right now, the sourcehut service is generating a new package signing key with every package it builds. This means, that packages depending on each other can't build, and that users would not be able to install the packages because of the unknown key.

TODO (obsoleted, see new list below):

• add a secret for the signing key (similar to f96a91e6)
• install that signing key in during the bpo_setup task (probably run pmbootstrap build_init and then copy the key to $(pmbootstrap config work)/config_abuild)