mirror of
https://github.com/moparisthebest/pacman
synced 2025-01-09 21:08:11 -05:00
e1b9f7b300
The HoldKey option was undocumented and was not suited for pacman.conf. Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list of keys not to be removed from the pacman keyring with the --populate option. Signed-off-by: Allan McRae <allan@archlinux.org>
120 lines
3.7 KiB
Plaintext
120 lines
3.7 KiB
Plaintext
/////
|
|
vim:set ts=4 sw=4 syntax=asciidoc noet spell spelllang=en_us:
|
|
/////
|
|
pacman-key(8)
|
|
=============
|
|
|
|
|
|
Name
|
|
----
|
|
pacman-key - manage pacman's list of trusted keys
|
|
|
|
|
|
Synopsis
|
|
--------
|
|
'pacman-key' [options]
|
|
|
|
|
|
Description
|
|
-----------
|
|
'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which
|
|
is the collection of PGP keys used to check signed packages and databases. It
|
|
provides the ability to import and export keys, fetch keys from keyservers and
|
|
update the key trust database.
|
|
|
|
More complex keyring management can be achieved using GnuPG directly combined with
|
|
the `--homedir` option pointing at the pacman keyring (located in
|
|
+{sysconfdir}/pacman.d/gnupg+ by default).
|
|
|
|
|
|
Options
|
|
-------
|
|
*-a, \--add* [file(s)]::
|
|
Add the key(s) contained in the specified file or files to pacman's
|
|
keyring. If a key already exists, update it.
|
|
|
|
*\--config* <file>::
|
|
Use an alternate config file instead of the +{sysconfdir}/pacman.conf+
|
|
default.
|
|
|
|
*-d, \--delete* <keyid(s)>::
|
|
Remove the key(s) identified by the specified keyid(s) from pacman's
|
|
keyring.
|
|
|
|
*-e, \--export* [keyid(s)]::
|
|
Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid
|
|
is specified, all keys will be exported.
|
|
|
|
*\--edit-key* <keyid(s)>::
|
|
Present a menu for key management task on the specified keyids. Useful for
|
|
adjusting a keys trust level.
|
|
|
|
*-f, \--finger* [keyid(s)]::
|
|
List a fingerprint for each specified keyid, or for all known keys if no
|
|
keyids are specified.
|
|
|
|
*\--gpgdir* <dir>::
|
|
Set an alternate home directory for GnuPG. If unspecified, the value is
|
|
read from +{sysconfdir}/pacman.conf+.
|
|
|
|
*-h, \--help*::
|
|
Output syntax and command line options.
|
|
|
|
*--import* <dir(s)>::
|
|
Adds keys from pubring.gpg into pacman's keyring and imports ownertrust
|
|
values from trustdb.gpg in the specified directories.
|
|
|
|
*--import-dirs* <dir(s)> ::
|
|
Imports ownertrust values from trustdb.gpg in the specified directories.
|
|
|
|
*--init*::
|
|
Ensure the keyring is properly initialized and has the required access
|
|
permissions.
|
|
|
|
*-l, \--list-keys* [keyid(s)]::
|
|
Lists all or specified keys from the public keyring.
|
|
|
|
*--list-sigs* [keyid(s)]::
|
|
Same as --list-keys, but the signatures are listed too.
|
|
|
|
*-r, \--receive* <keyserver> <keyid(s)>::
|
|
Fetch the specified keyids from the specified key server URL.
|
|
|
|
*\--populate* [<keyring(s)>]::
|
|
Reload the default keys from the (optionally provided) keyrings in
|
|
+{pkgdatadir}/keyrings+. For more information, see
|
|
<<SC,Providing a Keyring for Import>> below.
|
|
|
|
*-u, \--updatedb*::
|
|
Equivalent to \--check-trustdb in GnuPG.
|
|
|
|
*-v, \--verify* <signature>::
|
|
Verify the given signature file.
|
|
|
|
*-V, \--version*::
|
|
Displays the program version.
|
|
|
|
|
|
Providing a Keyring for Import
|
|
------------------------------
|
|
A distribution or other repository provided may want to provide a set of valid
|
|
PGP keys used in the signing of its packages and repository databases that can
|
|
be readily imported into the pacman keyring. This is achieved by providing a
|
|
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
|
directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
|
|
provided containing a list of revoked key IDs for that keyring. These files are
|
|
required to be signed (detached) by a trusted PGP key that the user must
|
|
manually import to the pacman keyring. This prevents a potentially malicious
|
|
repository adding keys to the pacman keyring without the users knowledge.
|
|
|
|
A key being marked as revoked always takes priority over the key being added to
|
|
the pacman keyring, regardless of the keyring it is provided in. To prevent a
|
|
key from being revoked when using --populate, its ID can be listed in
|
|
+{sysconfdir}/pacman.d/gnupg/holdkeys+.
|
|
|
|
See Also
|
|
--------
|
|
linkman:pacman[8], linkman:pacman.conf[5]
|
|
|
|
include::footer.txt[]
|