4 changed files with 133 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -39,16 +39,72 @@ I publish the packages I built, in my own apt repository, using the process desc

 However, you have no reason to trust me and my apt repository. This git repo exists so that you can build the packages yourself instead. See Option 2 for that.

+### 1) Add the GPG key (signed-by)
+
 ```bash
 sudo mkdir -p /usr/share/keyrings
 curl -fsSL https://mig5.net/static/mig5.asc | sudo gpg --dearmor -o /usr/share/keyrings/mig5.gpg
-echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+My GPG fingerprint is `00AE817C24A10C2540461A9C1D7CDE0234DB458D`. You can also fetch it from https://keys.openpgp.org or search the fingerprint online to confirm it.
+
+### 2) Add the APT source
+
+**Debian 12 (bookworm):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net bookworm main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Debian 13 (trixie):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net trixie main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Ubuntu 22.04 (jammy):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net jammy main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+**Ubuntu 24.04 (noble):**
+
+```bash
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/mig5.gpg] https://apt.mig5.net noble main" | sudo tee /etc/apt/sources.list.d/mig5.list
+```
+
+### 3) Update & install
+
+```bash
 sudo apt update
-sudo apt install php8.2-sqlcipher # or php8.0-sqlcipher, php7.4-sqlcipher, etc
+# (example: PHP 8.2)
+sudo apt install php8.2-sqlcipher
 ```

 > Remember: These packages are built to **replace** `phpX.Y-sqlite3` with a SQLCipher-linked build.

+### 4) (Recommended) Pin to prefer this repo for sqlcipher packages
+
+Create `/etc/apt/preferences.d/mig5.pref`:
+
+```ini
+Package: php*-sqlcipher
+Pin: release o=mig5, l=php-sqlcipher, n=bookworm # adjust to your distro
+Pin-Priority: 990
+```
+
+Then:
+
+```bash
+sudo apt update
+apt-cache policy php8.2-sqlcipher
+```
+
+You should see this repo as the selected candidate.
+
+---
+
 ## Option 2: Building your own .debs

 If you’d rather build locally, execute `scripts/package.sh` which in turn executes the Docker build process for each distro and PHP version.
--- a/repo/conf/distributions
+++ b/repo/conf/distributions
@ -0,0 +1,35 @@
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: trixie
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Debian 13 (trixie)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: bookworm
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Debian 12 (bookworm)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: noble
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Ubuntu 24.04 (noble)
+SignWith: !qubes-gpg-sign
+
+Origin: mig5
+Label: php-sqlcipher
+Suite: stable
+Codename: jammy
+Architectures: amd64
+Components: main
+Description: mig5 SQLCipher for PHP packages for Ubuntu 22.04 (jammy)
+SignWith: !qubes-gpg-sign
--- a/repo/conf/qubes-gpg-sign
+++ b/repo/conf/qubes-gpg-sign
@ -0,0 +1,39 @@
+#!/bin/sh
+set -eu
+
+release="$1"                    # file to sign (exists in the repo VM)
+inrel="${2:-}"                  # path for InRelease.new (may be empty)
+relgpg="${3:-}"                 # path for Release.gpg.new (may be empty)
+
+export QUBES_GPG_DOMAIN="${QUBES_GPG_DOMAIN:-vault}"
+
+WRAP="${WRAP:-/usr/bin/qubes-gpg-client-wrapper}"
+KEY="${REPO_SIGN_KEY:-00AE817C24A10C2540461A9C1D7CDE0234DB458D}"
+
+gpgcmd() {
+  if [ -n "$KEY" ]; then
+    "$WRAP" --batch --no-tty -u "$KEY" "$@"
+  else
+    "$WRAP" --batch --no-tty "$@"
+  fi
+}
+
+mkout() {                       # write stdout to a tmp next to dst, then mv
+  dst="$1"; dir="$(dirname "$dst")"
+  tmp="$(mktemp "$dir/.reprepro.XXXXXX")"
+  cat >"$tmp"
+  mv -f "$tmp" "$dst"
+}
+
+[ -r "$release" ] || { echo "error: $release not readable" >&2; exit 1; }
+umask 022
+
+# InRelease (clearsigned)
+if [ -n "$inrel" ]; then
+  gpgcmd --clearsign <"$release" | mkout "$inrel"
+fi
+
+# Release.gpg (detached, armored)
+if [ -n "$relgpg" ]; then
+  gpgcmd --armor --detach-sign <"$release" | mkout "$relgpg"
+fi
--- a/scripts/publish.sh
+++ b/scripts/publish.sh
@ -8,6 +8,6 @@ for CODENAME in trixie bookworm noble jammy; do
  # feed all .deb for that codename into the repo
  if compgen -G "${OUT_DIR}/${CODENAME}/php*/*.deb" >/dev/null 2>&1; then
    find "${OUT_DIR}/${CODENAME}" -name '*.deb' -print0 \
-      | xargs -0 -n1 reprepro -b /home/user/git/repo includedeb "$CODENAME"
+      | xargs -0 -n1 reprepro -b repo includedeb "$CODENAME"
  fi
 done