mirror of
https://github.com/moparisthebest/pacman
synced 2024-11-15 13:55:09 -05:00
16fd66f879
This allows new signatures to be pulled, revocations to be found, etc. Signed-off-by: Dan McGee <dan@archlinux.org>
133 lines
4.2 KiB
Plaintext
133 lines
4.2 KiB
Plaintext
/////
|
|
vim:set ts=4 sw=4 syntax=asciidoc noet spell spelllang=en_us:
|
|
/////
|
|
pacman-key(8)
|
|
=============
|
|
|
|
|
|
Name
|
|
----
|
|
pacman-key - manage pacman's list of trusted keys
|
|
|
|
|
|
Synopsis
|
|
--------
|
|
'pacman-key' [options]
|
|
|
|
|
|
Description
|
|
-----------
|
|
'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which
|
|
is the collection of PGP keys used to check signed packages and databases. It
|
|
provides the ability to import and export keys, fetch keys from keyservers and
|
|
update the key trust database.
|
|
|
|
More complex keyring management can be achieved using GnuPG directly combined with
|
|
the '\--homedir' option pointing at the pacman keyring (located in
|
|
+{sysconfdir}/pacman.d/gnupg+ by default).
|
|
|
|
|
|
Options
|
|
-------
|
|
*-a, \--add* [file(s)]::
|
|
Add the key(s) contained in the specified file or files to pacman's
|
|
keyring. If a key already exists, update it.
|
|
|
|
*\--config* <file>::
|
|
Use an alternate config file instead of the +{sysconfdir}/pacman.conf+
|
|
default.
|
|
|
|
*-d, \--delete* <keyid(s)>::
|
|
Remove the key(s) identified by the specified keyid(s) from pacman's
|
|
keyring.
|
|
|
|
*-e, \--export* [keyid(s)]::
|
|
Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid
|
|
is specified, all keys will be exported.
|
|
|
|
*\--edit-key* <keyid(s)>::
|
|
Present a menu for key management task on the specified keyid(s). Useful
|
|
for adjusting a keys trust level.
|
|
|
|
*-f, \--finger* [keyid(s)]::
|
|
List a fingerprint for each specified keyid, or for all known keys if no
|
|
keyids are specified.
|
|
|
|
*\--gpgdir* <dir>::
|
|
Set an alternate home directory for GnuPG. If unspecified, the value is
|
|
read from +{sysconfdir}/pacman.conf+.
|
|
|
|
*-h, \--help*::
|
|
Output syntax and command line options.
|
|
|
|
*\--import* <dir(s)>::
|
|
Adds keys from pubring.gpg into pacman's keyring and imports ownertrust
|
|
values from trustdb.gpg in the specified directories.
|
|
|
|
*\--import-dirs* <dir(s)> ::
|
|
Imports ownertrust values from trustdb.gpg in the specified directories.
|
|
|
|
*\--init*::
|
|
Ensure the keyring is properly initialized and has the required access
|
|
permissions.
|
|
|
|
*\--keyserver* <keyserver>::
|
|
Use the specified keyserver if the operation requires one. This will take
|
|
precedence over any keyserver option specified in a `gpg.conf`
|
|
configuration file. Running '\--init' with this option will set the default
|
|
keyserver if one was not already configured.
|
|
|
|
*-l, \--list-keys* [keyid(s)]::
|
|
Lists all or specified keys from the public keyring.
|
|
|
|
*\--list-sigs* [keyid(s)]::
|
|
Same as '\--list-keys', but the signatures are listed too.
|
|
|
|
*\--lsign-key* <keyid>::
|
|
Locally sign the given key. This is primarily used to root the web of trust
|
|
in the local private key generated by '\--init'.
|
|
|
|
*-r, \--recv-keys* <keyid(s)>::
|
|
Equivalent to '\--recv-keys' in GnuPG.
|
|
|
|
*\--refresh-keys* [keyid(s)]::
|
|
Equivalent to '\--refresh-keys' in GnuPG.
|
|
|
|
*\--populate* [keyring(s)]::
|
|
Reload the default keys from the (optionally provided) keyrings in
|
|
+{pkgdatadir}/keyrings+. For more information, see
|
|
<<SC,Providing a Keyring for Import>> below.
|
|
|
|
*-u, \--updatedb*::
|
|
Equivalent to '\--check-trustdb' in GnuPG.
|
|
|
|
*-v, \--verify* <signature>::
|
|
Verify the given signature file.
|
|
|
|
*-V, \--version*::
|
|
Displays the program version.
|
|
|
|
|
|
Providing a Keyring for Import
|
|
------------------------------
|
|
A distribution or other repository provided may want to provide a set of valid
|
|
PGP keys used in the signing of its packages and repository databases that can
|
|
be readily imported into the pacman keyring. This is achieved by providing a
|
|
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
|
directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
|
|
provided containing a list of revoked key IDs for that keyring. These files are
|
|
required to be signed (detached) by a trusted PGP key that the user must
|
|
manually import to the pacman keyring. This prevents a potentially malicious
|
|
repository adding keys to the pacman keyring without the users knowledge.
|
|
|
|
A key being marked as revoked always takes priority over the key being added to
|
|
the pacman keyring, regardless of the keyring it is provided in. To prevent a
|
|
key from being revoked when using '\--populate', its ID can be listed in
|
|
+{sysconfdir}/pacman.d/gnupg/holdkeys+.
|
|
|
|
See Also
|
|
--------
|
|
linkman:pacman[8], linkman:pacman.conf[5]
|
|
|
|
include::footer.txt[]
|