It can be quite useful to be able to distribute your own Debian packages using apt, without having to push them to the Debian project itself. Doing this properly requires several steps:

Each of these steps is covered here. For more detail than is presented here, see the following HOWTO's:

Generating OpenPGP keys

GnuPG can be used here for two purposes:

Before generating a key, become familiar with current best practices for key security. As of this writing, a good description is available at "OpenPGP Key Checks" and a good ~/.gnupg/gpg.conf for the user that will generate the key would include:

# Prioritize stronger algorithms for new keys.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# Use a stronger digest than the default SHA1 for certifications.
cert-digest-algo SHA512

Generate the key using the following command:

$ gpg --gen-key


$ gpg --full-gen-key

In general, you should run that command on the secure computer creating repository structure files for the apt repository, as the user that will sign the packages. Then you should set up method to replicate repository contents to the remote server (rsync etc.). (Leaving secret key on a remote server is never a good idea.)

Configuring Apache

If you decide to run webserver yourself for the repository, you need to configure it.

Here we assume you got Apache (2.4, buster or newer) running already, and serving web pages - even if only the default index.html. First you need a directory for the apt repository:

$ mkdir -p /srv/repos/apt/debian

Next you should add Apache rules to make a few directories used internally by reprepro invisible to users of your repository. Add something like this to a Apache server configuration file fragment (e.g. /etc/apache2/conf.available/repos.conf) or to a VirtualHost definition:

# /etc/apache2/conf.available/repos.conf
# Apache HTTP Server 2.4

Alias /repos/apt/debian /srv/repos/apt/debian

<Directory /srv/repos/ >
        # We want the user to be able to browse the directory manually
        Options Indexes FollowSymLinks Multiviews
        Require all granted

# This syntax supports several repositories, e.g. one for Debian, one for Ubuntu.
# Replace * with debian, if you intend to support one distribution only.
<Directory "/srv/repos/apt/*/db/">
        Require all denied

<Directory "/srv/repos/apt/*/conf/">
        Require all denied

<Directory "/srv/repos/apt/*/incoming/">
        Require all denied

This allows users to browse the pool directory with the browser, should he/she want to. The configuration also blocks a few directories used by reprepro internally, without affecting normal apt usage. Finally check that the configuration is sane and reload it:

$ sudo a2enconf repos # enable repos conf
$ apache2ctl configtest # test the configuration
Syntax OK
$ sudo service apache2 reload # enable the configuration

Configuring Nginx

You can also run the webserver using nginx.We assume nginx is installed on your machine.

Open the configuration file with any text editor.

$ nano /etc/nginx/sites-available/default

And add the following configuration directives:

server {
  listen 80;

  access_log /var/log/nginx/repo-error.log;
  error_log /var/log/nginx/repo-error.log;

  location / {
    root /srv/repos/apt;
    autoindex on;

  location ~ /(.*)/conf {
    deny all;

  location ~ /(.*)/db {
    deny all;

Reload nginx

# systemctl restart nginx

With your server’s IP address, you can now add this repository to any other debian machine and install packages from your repository.

Configuring github page

If you don't feel like running webserver yourself for the repository, you may be able to use free webservers if the repository is small enough to meet their acceptable use policy.

Many free source code hosting services such as Github and Gitlab comes with web site hosting service with https://<username> like URL. They can be used to host a package repository. The repository content transfer is as easy as committing them to the <username> repository.

Although Debian Debian salsa should be able to do this too, it may not be a good idea since its resource is quite tight already.

Hosting entire repository of Debian mirror this way is strongly discouraged even for commercial free service sites.

Configuring reprepro

Reprepro eases the task of creating apt-compatible directory layout, apt-specific files and databases and removing and adding packages to the repository.

First, create a reprepro configuration directory:

$ mkdir -p /srv/repos/apt/debian/conf

Second, create the conf/distributions file. In our example, the contents of /srv/repos/apt/debian/conf/distributions would look something like this:

Origin: Your project name
Label: Your project name
Codename: <osrelease>
Architectures: source i386 amd64
Components: main
Description: Apt repository for project x
SignWith: <key-id>

Above, <osrelease> is an official Debian release name (e.g. buster or bulleseye or sid) and <key-id> is the ID of the OpenPGP key you generated. You can check the key ID (fingerprint) with gpg:

$ gpg --list-secret-key --with-subkey-fingerprint
pub   rsa4096 2010-09-23 [SC]
uid           [ultimate] Joe User (Some organization) <>
sub   rsa4096 2010-09-23 [E]

Here <keyid> (fingerprint) for the OpenPGP key is F24957412415744F1495F149571F2495F2495714 (that's technically the subkey, which is recommended to be used for this sort of signing purpose).

You can repeat the section as many times as needed for different OS releases.

Third, add an options file to make daily life with reprepro command-line a little easier. This file is in /srv/repos/apt/debian/conf/options:

basedir /srv/repos/apt/debian

For further details, refer to the instruction given here.

Using overrides

Sometimes, you want to add a package from another source (for example, Debian unstable) to your repository. Rather than have to repackage it, you can use overrides to change some of its metadata.

This configuration is not needed if you do not plan to use packages from other sources.

To enable overrides, add the following to your conf/distributions file:

DebOverride: override.<osrelease>
DscOverride: override.<osrelease>

As above, <osrelease> is an official Debian release name (e.g. squeeze or wheezy), and those lines should be added to each release section you have configured.

Then, for each release you support, create the override file, where you add additional metadata for each package. This file is saved to /var/www/repos/apt/debian/conf/override.<osrelease>:

your_package_name Priority        optional
your_package_name Section         net

Adding packages to the repository

Once all of the above is done, you can add packages to the repository. Reprepro takes care of signing and all, so this should suffice:

$ reprepro include <osrelease> <changesfile>

Again, <osrelease> is something like squeeze or wheezy.

Run the command from your repository directory, or pass the -b option with the path to the directory, or set the REPREPRO_BASE_DIR environment variable to the directory path.

You may also need to add --ignore=wrongdistribution to the above as needed.

Reprepro should prompt you for the GnuPG password, because options file contains the ask-passphrase configuration option. See man reprepro for more options, e.g. how to import a package's changes file to the repository.

Exporting the public OpenPGP key

Finally, you need to export the public part of your OpenPGP keypair from the keychain:

$ gpg --armor --output whatever.gpg.key --export-options export-minimal --export <key-id>

Copy this to a webserver so that users can download it and add it to their OpenPGP keychains similarly to this (as root):

$ wget -O -<whatever>.gpg.key | apt-key add -

Creating a sources.list.d file (DEB822-style)

You can obtain your public key by:

$ gpg --export -a --export-options export-minimal <your-hash>

You need to publish instruction to the repository users how to access this APT repository securely using this public key.

The simplest way is to use DEB822-style sources.list(5) file. The following script as installation method is one way to post your public-key:

$ sudo tee /etc/apt/sources.list.d/examplesite.sources  <<"EOF"
Types: deb
Suites: sid
Components: main

Please note key is padded with leading " " and a blank line is replaced with " ." (space and period)

Now secure APT will work flawlessly as:

$ sudo apt update
$ sudo apt install <your-package-name>

Signing Debian packages without adding to repository

/!\ dpkg-sig is almost never what you want, ignore this section.

reprepro will take care of the signing, so you normally don't have to do this separately. But if you do want to simply sign a package, without deploying it on your repository, you can use dpkg-sig.

First, install dpkg-sig:

$ sudo apt install dpkg-sig

Then sign your package(s):

dpkg-sig -k keyid --sign builder your_packages_$VERSION_$ARCHITECTURE.deb

Refer to this article for more details.


When importing packages from Debian you might find that you are missing SHA-1 and SHA-256 hashes in your apt metadata (Release/Packages/Sources files). To rectify this reprepro has a redochecksums command that you should run.