fix: debsign argument parsing, PPA_SERIES precedence, passphrase cleanup

[rtibbles]

Summary

Follow-up fixes for the debsign signing failure after merging #117:

• Makefile: Validate GPG_KEY_ID and GPG_PASSPHRASE are set before signing; space-separate -k from its value so an empty key ID doesn't consume the .changes filename as the key argument
• setup_ppa.sh: PPA_SERIES env var takes precedence when set, ensuring all CI containers (including Ubuntu ones) use the same PPA series
• build_debian.yml: Cleanup step also removes GPG passphrase temp file on failure

Full build+sign flow verified end-to-end in an ubuntu:latest container (changelog patching → install-upload-deps → install-kolibri → dist → debsign with passphrase-protected key).

References

• Fixes the signing failure from fix: dynamic series detection and debsign #117
• Part of the broader CI refactor started in Extract setup steps into Makefile, rewrite install test workflow #114

Reviewer guidance

• The debsign fix can be verified by checking that -k "value" (space-separated) won't collapse when the value is empty, unlike -k"value" which becomes just -k
• setup_ppa.sh change: PPA_SERIES now takes precedence over auto-detection, so CI containers consistently use the build runner's series
• The passphrase cleanup is a defense-in-depth measure for CI

AI usage

This PR was developed using Claude Code. Claude identified the root cause of the debsign failure (empty -k"" consuming the next positional argument), proposed and tested fixes, and ran a full end-to-end simulation of the build_debian.yml workflow in an ubuntu:latest container to verify the signing flow works with a passphrase-protected GPG key.