SHA1 keys are no longer recommended so I went through the process of generating a new set of keys for use on the apt server. Here's how I did it (followed this).

1. apt install gpgv2 package. Xenial installs v1 by default. Not sure if v2 is required, strictly-speaking.
2. Generating keys requires a quantity of entropy which can be hard to generate on a CLI system. I apt installed the pkgs rng-tools and haveged, then ran 'sudo rngd -r /dev/urandom -W 4096' which generates enough entropy for a build. You can check the available entropy by running 'cat /proc/sys/kernel/random/entropy_avail'.
3. Create key with 'sudo gpg2 --full-gen-key'. Answer questions. No need to add a comment. Do set an unlock password, though.
4. Result is a barf of info including a line like 'gpg: key 3GD4831G marked as ultimately trusted'. You'll ref 3GD4831G in reprepro on the SignWith line.
5. Export an armoured public key with 'sudo gpg2 --armor --output my_public_key.asc --export 3GD4831G'. Note that the command is gpg2 and that the key has an 'asc' suffix. I have reason to believe that armoured keys that do not use either a gpg or asc suffix will eventually be ignored on import.