Also an interesting option is using deb822 sources.list format and inline the key <a href="https://lists.debian.org/debian-devel/2021/11/msg00026.html" rel="nofollow">https://lists.debian.org/debian-devel/2021/11/msg00026.html</a><p>Still a bit ugly depending on the point of view you take but a 3rd party vendor can just tell the user to download this file and store it in /etc/apt/sources.list.d/
which should make that whole thing a bit more frictionless.
See, I specifically remember Debian maintaners arguing that they "don't need HTTPS" on the default repos because it's signed anyway. Now it has backfired on them. (Of course, the better solution is not blindly trusting every GPG key for every source. But if all of the users' sources had HTTPS, that would have mitigated the issue.)
I run a small apt repository without signing, delivered over HTTPS only.
Then I tell users to put `trusted=yes` in the source line.
There's no APT signing key, no risk of compromise, and no need to backup.