Then there's the problem with changing contents for already seen
files, which seems like a dak bug. It does not allow to change a
tarball once it has been seen, so I don't see why it should allow a
changed .asc either?
That's not true.
Call it a dak bug or a feature, depending on where you stand. Dak forgets everything concerning a file as soon as it's not present in any suite it manages.
This usually appears in the way of people uploading a package with the same name and version of something that was removed long long ago and since then archived and forgotten by dak.
It's totally possible to overwrite a tarball with the same filename too that way, you just need to wait the appropriate amount of time and upload things in a way that you replace the upstream tarball.
(Honestly I haven't tried this myself, but I have a package where if you'd like I can actually go and try to prove my point).
Back to the original bug report: I personally believe that the signatures there are fine, and I don't believe in the "upstream the re-sign an already released tarball" story. But I consider the current forgetfulness of dak as a bug.