summaryrefslogtreecommitdiff
path: root/doc/pacman-key.8.asciidoc
blob: e32fe5d8d1814e88f9113e720041de66814418e3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
pacman-key(8)
=============


Name
----
pacman-key - manage pacman's list of trusted keys


Synopsis
--------
'pacman-key' [options] operation [targets]


Description
-----------
'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which
is the collection of PGP keys used to check signed packages and databases. It
provides the ability to import and export keys, fetch keys from keyservers and
update the key trust database.

More complex keyring management can be achieved using GnuPG directly combined with
the '\--homedir' option pointing at the pacman keyring (located in
+{sysconfdir}/pacman.d/gnupg+ by default).

Invoking pacman-key consists of supplying an operation with any potential
options and targets to operate on. Depending on the operation, a 'target' may
be a valid key identifier, filename, or directory.


Operations
----------
*-a, \--add*::
	Add the key(s) contained in the specified file or files to pacman's
	keyring. If a key already exists, update it.

*-d, \--delete*::
	Remove the key(s) identified by the specified keyid(s) from pacman's
	keyring.

*-e, \--export*::
	Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid
	is specified, all keys will be exported.

*\--edit-key*::
	Present a menu for key management task on the specified keyid(s). Useful
	for adjusting a keys trust level.

*-f, \--finger*::
	List a fingerprint for each specified keyid, or for all known keys if no
	keyids are specified.

*-h, \--help*::
	Output syntax and command line options.

*\--import*::
	Imports keys from `pubring.gpg` into the public keyring from the specified
	directories.

*\--import-trustdb*::
	Imports ownertrust values from `trustdb.gpg` into the shared trust database
	from the specified directories.

*\--init*::
	Ensure the keyring is properly initialized and has the required access
	permissions.

*-l, \--list-keys*::
	Lists all or specified keys from the public keyring.

*\--list-sigs*::
	Same as '\--list-keys', but the signatures are listed too.

*\--lsign-key*::
	Locally sign the given key. This is primarily used to root the web of trust
	in the local private key generated by '\--init'.

*\--nocolor*::
	Disable colored output from pacman-key.

*-r, \--recv-keys*::
	Equivalent to '\--recv-keys' in GnuPG.

*\--refresh-keys*::
	Equivalent to '\--refresh-keys' in GnuPG.

*\--populate*::
	Reload the default keys from the (optionally provided) keyrings in
	+{pkgdatadir}/keyrings+. For more information, see
	<<PK,Providing a Keyring for Import>> below.

*-u, \--updatedb*::
	Equivalent to '\--check-trustdb' in GnuPG. This operation can be specified with
	other operations.

*-V, \--version*::
	Displays the program version.

*-v, \--verify*::
	Assume that the first argument is a signature and verify it. If a second
	argument is provided, it is the file to be verified.
+
With only one argument given, assume that the signature is a detached
signature, and look for a matching data file to verify by stripping the file
extension. If no matching data file is found, fall back on GnuPG semantics and
attempt to verify a file with an embedded signature.


Options
-------
*\--config* <file>::
	Use an alternate configuration file instead of the +{sysconfdir}/pacman.conf+
	default.

*\--gpgdir* <dir>::
	Set an alternate home directory for GnuPG. If unspecified, the value is
	read from +{sysconfdir}/pacman.conf+.

*\--keyserver* <keyserver>::
	Use the specified keyserver if the operation requires one. This will take
	precedence over any keyserver option specified in a `gpg.conf`
	configuration file. Running '\--init' with this option will set the default
	keyserver if one was not already configured.


Providing a Keyring for Import[[PK]]
------------------------------------
A distribution or other repository provided may want to provide a set of
PGP keys used in the signing of its packages and repository databases that can
be readily imported into the pacman keyring. This is achieved by providing a
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
directory +{pkgdatadir}/keyrings+.

Optionally, the file `foo-trusted` can be provided containing a list of trusted
key IDs for that keyring. This is a file in a format compatible with 'gpg
\--export-ownertrust' output. This file will inform the user which keys a user
needs to verify and sign to build a local web of trust, in addition to
assigning provided owner trust values.

Also optionally, the file `foo-revoked` can be provided containing a list of
revoked key IDs for that keyring. Revoked is defined as "no longer valid for
any signing", so should be used with prudence. A key being marked as revoked
will be disabled in the keyring and no longer treated as valid, so this always
takes priority over it's trusted state in any other keyring.


See Also
--------
linkman:pacman[8], linkman:pacman.conf[5]

include::footer.asciidoc[]