Hi Jim,
FYI, I'm applying your patch, though /etc/apt/trusted.gpg.d is
deprecated. We should instead use the "signed-by" thingy in the
sources.list, and store the keyring somewhere in /usr/share. I'd
strongly suggest that you address this issue soonish if you care about
this feature for Trixie.
Also, I would also strongly recommend getting away from aptly in the
favor of ftpsync, which is easy to implement. If you haven't seen it, I
also maintain puppet-module-debian-archvsync so it's easy to maintain
your mirror with puppet:
https://packages.debian.org/puppet-module-debian-archvsync
Cheers,
Thomas Goirand (zigo)