I provide an own download repository for Ubuntu DEB-packages. It comes with a directory structure in style https://mydomain.tld/download/Ubuntu/dists/bionic/main/binary-amd64/
The directory contains the DEB-archives as well as the Packages.gz which is created by calling
dpkg-scanpackages dists/bionic/main/binary-amd64/ /dev/null|gzip -9c >dists/bionic/main/binary-amd64/Packages.gz
The packages itself all are signed with
dpkg-sig --sign builder mypackage.deb
Signing and creation of the Packages.gz works properly. Nevertheless the packages are not really secure and verified, the link between the signature in the DEB-package and the download is missing.
So my question: what do I have to do (on server side?) to not only have signed packaged but to give users that install packages via "apt-get" or "synapic" the verification that the packages are original and not changed by a third party?
Thanks!
