diff --git a/README.md b/README.md
index 041fad8..9b6db59 100644
--- a/README.md
+++ b/README.md
@@ -39,16 +39,72 @@ I publish the packages I built, in my own apt repository, using the process desc
 
 However, you have no reason to trust me and my apt repository. This git repo exists so that you can build the packages yourself instead. See Option 2 for that.
 
+### 1) Add the GPG key (signed-by)
+
 ```bash
 sudo mkdir -p /usr/share/keyrings
 curl -fsSL https://mig5.net/static/mig5.asc | sudo gpg --dearmor -o /usr/share/keyrings/mig5.gpg
-echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+My GPG fingerprint is `00AE817C24A10C2540461A9C1D7CDE0234DB458D`. You can also fetch it from https://keys.openpgp.org or search the fingerprint online to confirm it.
+
+### 2) Add the APT source
+
+**Debian 12 (bookworm):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net bookworm main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Debian 13 (trixie):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net trixie main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Ubuntu 22.04 (jammy):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net jammy main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Ubuntu 24.04 (noble):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net noble main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+### 3) Update & install
+
+```bash
 sudo apt update
-sudo apt install php8.2-sqlcipher # or php8.0-sqlcipher, php7.4-sqlcipher, etc
+# (example: PHP 8.2)
+sudo apt install php8.2-sqlcipher
 ```
 
 > Remember: These packages are built to **replace** `phpX.Y-sqlite3` with a SQLCipher-linked build.
 
+### 4) (Recommended) Pin to prefer this repo for sqlcipher packages
+
+Create `/etc/apt/preferences.d/mig5.pref`:
+
+```ini
+Package: php*-sqlcipher
+Pin: release o=mig5, l=php-sqlcipher, n=bookworm # adjust to your distro
+Pin-Priority: 990
+```
+
+Then:
+
+```bash
+sudo apt update
+apt-cache policy php8.2-sqlcipher
+```
+
+You should see this repo as the selected candidate.
+
+---
+
 ## Option 2: Building your own .debs
 
 If you’d rather build locally, execute `scripts/package.sh` which in turn executes the Docker build process for each distro and PHP version.
diff --git a/repo/conf/distributions b/repo/conf/distributions
new file mode 100644
index 0000000..5f2132b
--- /dev/null
+++ b/repo/conf/distributions
@@ -0,0 +1,35 @@
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: trixie
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Debian 13 (trixie)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: bookworm
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Debian 12 (bookworm)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: noble
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Ubuntu 24.04 (noble)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: jammy
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Ubuntu 22.04 (jammy)
+SignWith: !qubes-gpg-sign
diff --git a/repo/conf/qubes-gpg-sign b/repo/conf/qubes-gpg-sign
new file mode 100755
index 0000000..e448c59
--- /dev/null
+++ b/repo/conf/qubes-gpg-sign
@@ -0,0 +1,39 @@
+#!/bin/sh
+set -eu
+
+release="$1"                    # file to sign (exists in the repo VM)
+inrel="${2:-}"                  # path for InRelease.new (may be empty)
+relgpg="${3:-}"                 # path for Release.gpg.new (may be empty)
+
+export QUBES_GPG_DOMAIN="${QUBES_GPG_DOMAIN:-vault}"
+
+WRAP="${WRAP:-/usr/bin/qubes-gpg-client-wrapper}"
+KEY="${REPO_SIGN_KEY:-00AE817C24A10C2540461A9C1D7CDE0234DB458D}"
+
+gpgcmd() {
+  if [ -n "$KEY" ]; then
+    "$WRAP" --batch --no-tty -u "$KEY" "$@"
+  else
+    "$WRAP" --batch --no-tty "$@"
+  fi
+}
+
+mkout() {                       # write stdout to a tmp next to dst, then mv
+  dst="$1"; dir="$(dirname "$dst")"
+  tmp="$(mktemp "$dir/.reprepro.XXXXXX")"
+  cat >"$tmp"
+  mv -f "$tmp" "$dst"
+}
+
+[ -r "$release" ] || { echo "error: $release not readable" >&2; exit 1; }
+umask 022
+
+# InRelease (clearsigned)
+if [ -n "$inrel" ]; then
+  gpgcmd --clearsign <"$release" | mkout "$inrel"
+fi
+
+# Release.gpg (detached, armored)
+if [ -n "$relgpg" ]; then
+  gpgcmd --armor --detach-sign <"$release" | mkout "$relgpg"
+fi
diff --git a/scripts/publish.sh b/scripts/publish.sh
index ad2c4b1..8abe8e3 100755
--- a/scripts/publish.sh
+++ b/scripts/publish.sh
@@ -8,6 +8,6 @@ for CODENAME in trixie bookworm noble jammy; do
   # feed all .deb for that codename into the repo
   if compgen -G "${OUT_DIR}/${CODENAME}/php*/*.deb" >/dev/null 2>&1; then
     find "${OUT_DIR}/${CODENAME}" -name '*.deb' -print0 \
-      | xargs -0 -n1 reprepro -b /home/user/git/repo includedeb "$CODENAME"
+      | xargs -0 -n1 reprepro -b repo includedeb "$CODENAME"
   fi
 done