Möhrenfeld

In most (if not all) installation instructions for Debian Third-Party repositories you will find a sentence like this:

wget -O - https://packages.example.com/example.key | apt-key add -

This allows the package maintainers key to sign ALL Debian packages, not only the packages from their repository. I’m not sure why this is still so common when a more secure alternative exists.

Instead of adding the key to the global apt key repository, you can just put the (dearmored) version in the shared key directory:

wget -O - https://packages.example.com/example.key | gpg --dearmor > /usr/share/keyrings/example.gpg

After that, just specify the key in a signed-by option for your repository in /etc/apt/sources.list.d/example.list:

deb [arch=amd64 signed-by=/usr/share/keyrings/example.gpg] https://packages.example.com/latest/ buster main
deb-src [signed-by=/usr/share/keyrings/example.gpg] https://packages.example.com/latest/ buster main

Now the key can only sign packages for these repositories. This is effective since stretch according to the Debian Wiki.