As mentioned above, as of Christmas, 2003, the version of APT in experimental (0.6 and later) contains the APT Secure patch, with some changes.
Signature checking seems to work for most cases. We'd like the community to give us feedback about how it works and to help test and debug it. If it doesn't work for you, please verify that you are, in fact, a person, and if so, please post a question to the Deity mailing list or to the Debian BTS. Remember to tag bug reports with experimental. For more background, you might read the discussion on the BTS or more importantly the thread on debian-devel.
Known remaining issues (as of version 0.6.4) include:
IMS requests/"Hit" are broken for Release and Release.gpg
gpgv is broken for local repositories (file: sources) because the Release file is not copied into Dir::State::Lists.
There is still some unknown weirdness (in one of the parsers) causing random segfaults for some people. Any help tracking these down is welcome.
This document assumes that you have some familiarity with gpg and encryption and stuff like that. If you don't, then you might like to read up a little bit before bothering with it, or most importantly, before bothering us ;)
Also, we should warn you that there are still some policy decisions to be made. Correctness of policy is, of course, at least as important as correctness of code. Some of the stuff below might change.