Debian simply hashes the source tarballs, then signs these hashes and some metadata, just like everybody else does.

For example:

http://http.debian.net/debian/pool/main/b/bitcoin/bitcoin_0....

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Format: 3.0 (quilt)
    Source: bitcoin
    [...]
    Checksums-Sha256:
     aab2cd0c4f045970d259cf9fcee5785b43180d20ccbbedc1f90480e697696b25 5955398 bitcoin_0.11.2.orig.tar.gz
     e294975cd99a90c0750255303b51a9d3058a4e2e16087c6450908d7d64581772 33880 bitcoin_0.11.2-1.debian.tar.xz
    
    -----BEGIN PGP SIGNATURE-----
    [...]
    -----END PGP SIGNATURE-----

Here, bitcoin_0.11.2.orig.tar.gz is the original source tarball as downloaded from the Bitcoin project, and bitcoin_0.11.2-1.debian.tar.xz is the tarball that contains all Debian specific adjustments.