We are using an internal debian repository for backports and internal software.
We chose reprepro to manage the repository, and we sign source packages (with debsign) so that the repository accepts our gpg keys as trusted.
We created an internal keyring similar to the debian or ubuntu keyring package, that we install before anything to be able to run "apt-get update" without getting any gpg key error.
The latest point is problematic, as we often get security related issues, although we are in a completely private network, which excludes unsafe package uploading from outside.
Question : What are the pros and cons of using signed packages in an internal repository ?
Repository signing helps the users know "yes, the repository I'm downloading packages from is one I trust". The if you tell them to ignore this check you'd have to worry about:
If either of the first two can be a problem (which is not likely in a controlled environment), then you'd still have the problem of replay attacks even with a signed repositry. (you roll out a security upgrade to patch a vulnerability, I get user to look at my repository instead of yours so user never gets the patch, I get to exploit the vulnerability).
On a controlled network, I'd not really worry about much of this. That being said, if you have the infastructure in place already to have signed repositories, running debsign doesn't sound too complicated.