|i’m using apt-proxy and not having problems any more. 😉
last week apt started complaining about insecure packages due to an unknown gpg signing key. i did a quick google on the error message, realized that a new debian.org repository key was issued for 2006 (but as i’m running testing, it took a while for packages signed with the new key to propagate into testing), imported the new key (as detailed in the debian-user email thread google found based on my error message), and the error message immediately went away.
realize that my problem had nothing to do with apt-proxy specifically, but as i use apt-proxy exclusively and have no other data points, i could have easily attributed it to such. try using an official repository directly and see if the problem persists (not a apt-proxy problem) or goes away (possibly an apt-proxy problem).
and apt-proxy is no different than any other debian.org mirror (except that it mirrors packages “just-in-time”), and iirc secure apt is not based on the mirror, but on the release & content files within the mirror (which are the same for all debian.org repositories as they are mirrored same as the packages). so apt-proxy has no effect on secure apt usage.
rant: what i dislike about secure apt is that the packages are only validated for as long as they are in the official repository (as the “security” comes from release and content files in the repository). so if i keep an old version of some package (because, for example, a newer version of the package introduced bugs, removed features, etc) and redistribute it, then there’s no “security” unless i create my own apt repository with a signing key, release file, contents file, etc. with rpm this isn’t an issue as the signature is self-contained within the package, so each package can be individually verified (without some metadata contained in an apt repository).