In the meantime, I tried to download the
Release,
Release.gpg and
InRelease files and use
gpg --verify to check the signatures.
Here is the outcome:
gpg --verify InRelease
Signature made So 19 Nov 2023 17:11:43 CET
gpg: using RSA key B3B218F0330205CEE49A552E07AFBA683C975B01
gpg: Good signature from "XXXXX"
and
gpg --verify Release.gpg Release
gpg: Signature made Mo 16 Okt 2023 23:12:53 CEST
gpg: using RSA key 871920D1991BC93C
gpg: Can't check signature: No public key
It seems that the two files are signed using a different key?!
The first one using the key B3B218F0330205CEE49A552E07AFBA683C975B01 is ok, as expected.
The second one 871920D1991BC93C does not correspond to any key that I have in the system...
In addition, before generating the repository I had completely deleted the content of .aptly.conf, to be sure that I start from scratch.