mirror of
https://github.com/moparisthebest/pacman
synced 2024-11-04 16:45:07 -05:00
1df9b2aa79
This is similar to the 'foo-revoked' file we had. This will be used to inform the user what keys in the shipped keyring need to be explicitly trusted by the user. A distro such as Arch will likely have 3-4 master keys listed in this trusted file, but an additional 25 developer keys present in the keyring that the user shouldn't have to directly sign. We use this list to prompt the user to sign the keys locally. If the key is already signed locally gpg will print a bit of junk but will continue without pestering the user. Signed-off-by: Dan McGee <dan@archlinux.org>
140 lines
4.4 KiB
Plaintext
140 lines
4.4 KiB
Plaintext
/////
|
|
vim:set ts=4 sw=4 syntax=asciidoc noet spell spelllang=en_us:
|
|
/////
|
|
pacman-key(8)
|
|
=============
|
|
|
|
|
|
Name
|
|
----
|
|
pacman-key - manage pacman's list of trusted keys
|
|
|
|
|
|
Synopsis
|
|
--------
|
|
'pacman-key' [options]
|
|
|
|
|
|
Description
|
|
-----------
|
|
'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which
|
|
is the collection of PGP keys used to check signed packages and databases. It
|
|
provides the ability to import and export keys, fetch keys from keyservers and
|
|
update the key trust database.
|
|
|
|
More complex keyring management can be achieved using GnuPG directly combined with
|
|
the '\--homedir' option pointing at the pacman keyring (located in
|
|
+{sysconfdir}/pacman.d/gnupg+ by default).
|
|
|
|
|
|
Options
|
|
-------
|
|
*-a, \--add* [file(s)]::
|
|
Add the key(s) contained in the specified file or files to pacman's
|
|
keyring. If a key already exists, update it.
|
|
|
|
*\--config* <file>::
|
|
Use an alternate config file instead of the +{sysconfdir}/pacman.conf+
|
|
default.
|
|
|
|
*-d, \--delete* <keyid(s)>::
|
|
Remove the key(s) identified by the specified keyid(s) from pacman's
|
|
keyring.
|
|
|
|
*-e, \--export* [keyid(s)]::
|
|
Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid
|
|
is specified, all keys will be exported.
|
|
|
|
*\--edit-key* <keyid(s)>::
|
|
Present a menu for key management task on the specified keyid(s). Useful
|
|
for adjusting a keys trust level.
|
|
|
|
*-f, \--finger* [keyid(s)]::
|
|
List a fingerprint for each specified keyid, or for all known keys if no
|
|
keyids are specified.
|
|
|
|
*\--gpgdir* <dir>::
|
|
Set an alternate home directory for GnuPG. If unspecified, the value is
|
|
read from +{sysconfdir}/pacman.conf+.
|
|
|
|
*-h, \--help*::
|
|
Output syntax and command line options.
|
|
|
|
*\--import* <dir(s)>::
|
|
Adds keys from pubring.gpg into pacman's keyring and imports ownertrust
|
|
values from trustdb.gpg in the specified directories.
|
|
|
|
*\--import-dirs* <dir(s)> ::
|
|
Imports ownertrust values from trustdb.gpg in the specified directories.
|
|
|
|
*\--init*::
|
|
Ensure the keyring is properly initialized and has the required access
|
|
permissions.
|
|
|
|
*\--keyserver* <keyserver>::
|
|
Use the specified keyserver if the operation requires one. This will take
|
|
precedence over any keyserver option specified in a `gpg.conf`
|
|
configuration file. Running '\--init' with this option will set the default
|
|
keyserver if one was not already configured.
|
|
|
|
*-l, \--list-keys* [keyid(s)]::
|
|
Lists all or specified keys from the public keyring.
|
|
|
|
*\--list-sigs* [keyid(s)]::
|
|
Same as '\--list-keys', but the signatures are listed too.
|
|
|
|
*\--lsign-key* <keyid>::
|
|
Locally sign the given key. This is primarily used to root the web of trust
|
|
in the local private key generated by '\--init'.
|
|
|
|
*-r, \--recv-keys* <keyid(s)>::
|
|
Equivalent to '\--recv-keys' in GnuPG.
|
|
|
|
*\--refresh-keys* [keyid(s)]::
|
|
Equivalent to '\--refresh-keys' in GnuPG.
|
|
|
|
*\--populate* [keyring(s)]::
|
|
Reload the default keys from the (optionally provided) keyrings in
|
|
+{pkgdatadir}/keyrings+. For more information, see
|
|
<<SC,Providing a Keyring for Import>> below.
|
|
|
|
*-u, \--updatedb*::
|
|
Equivalent to '\--check-trustdb' in GnuPG.
|
|
|
|
*-v, \--verify* <signature>::
|
|
Verify the given signature file.
|
|
|
|
*-V, \--version*::
|
|
Displays the program version.
|
|
|
|
|
|
Providing a Keyring for Import
|
|
------------------------------
|
|
A distribution or other repository provided may want to provide a set of
|
|
PGP keys used in the signing of its packages and repository databases that can
|
|
be readily imported into the pacman keyring. This is achieved by providing a
|
|
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
|
directory +{pkgdatadir}/keyrings+.
|
|
|
|
Optionally, the file `foo-trusted` can be provided containing a list of trusted
|
|
key IDs for that keyring. This file will inform the user which keys a user
|
|
needs to verify and sign to build a local web of trust.
|
|
|
|
Also optionally, the file `foo-revoked` can be provided containing a list of
|
|
revoked key IDs for that keyring. Revoked is defined as "no longer valid for
|
|
any signing", so should be used with prudence. A key being marked as revoked
|
|
will be disabled in the keyring and no longer treated as valid, so this always
|
|
takes priority over it's trusted state in any other keyring.
|
|
|
|
All files are required to be signed (detached) by a trusted PGP key that the
|
|
user must manually import to the pacman keyring. This prevents a potentially
|
|
malicious repository adding keys to the pacman keyring without the users
|
|
knowledge.
|
|
|
|
|
|
See Also
|
|
--------
|
|
linkman:pacman[8], linkman:pacman.conf[5]
|
|
|
|
include::footer.txt[]
|