In article <[🔎] c7b40f9d0804051420x54657717v67397a33e0d4651d@mail.gmail.com> you wrote: > I trust the archive maintainers and have a secure way to get a copy of > their public key. I don't trust individual developers and cannot have > all of their keys securely distributed to me. Yes, you would have to sign the packages with your own key after verifying the release file. Gruss Bernd