Installing And Configuring Arch
The first thing you'll need to do is install Arch itself. The package name is tla (Tom Lord's Arch) and is available from unstable.
# apt-get install tla
Rather than usernames, Arch uses e-mail addresses to identify authors of changes. To tell it who are you, use the tla my-id command.
$ tla my-id "Joe Bloggs <jbloggs@debian.org>"
For both archive security and integrity, Arch saves checksums of the files in the repository that make up each change. It goes further than that though, and allows you to GPG sign those checksum files. The dpkg repository uses GPG signed signatures, you should too.
Unfortunately Arch doesn't get come pre-configured to do this, and we have to set up a few things. First we create a rule to GPG sign changes by default.
$ mkdir ~/.arch-params/signing $ echo "gpg --clearsign --default-key ABCD1234" > ~/.arch-params/signing/=default
You should also configure Arch to check the signatures of changes it needs to download. The package contains a tla-gpg-check script that does most of the hard work, but outputs somewhat verbose information. This rule's output is rather more terse.
$ echo "tla-gpg-check gpg_command=\"LC_MESSAGES=C gpg --verify-files -q \
--no-show-notation --batch --no-tty -\" 2>&1 | \
grep \"^gpg: Good signature from\" 1>&2" > \
~/.arch-params/signing/=default.check
Now you're in a position where you can make, sign and verify changes with Arch.