mirror of
https://github.com/moparisthebest/pacman
synced 2024-11-10 11:35:00 -05:00
1fe6cabc4d
Verifing the keyring at this point is useless as a malicious package is already installed and as such has several options to bypass this check anyway. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> Signed-off-by: Dan McGee <dan@archlinux.org>
138 lines
4.3 KiB
Plaintext
138 lines
4.3 KiB
Plaintext
/////
|
|
vim:set ts=4 sw=4 syntax=asciidoc noet spell spelllang=en_us:
|
|
/////
|
|
pacman-key(8)
|
|
=============
|
|
|
|
|
|
Name
|
|
----
|
|
pacman-key - manage pacman's list of trusted keys
|
|
|
|
|
|
Synopsis
|
|
--------
|
|
'pacman-key' [options]
|
|
|
|
|
|
Description
|
|
-----------
|
|
'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which
|
|
is the collection of PGP keys used to check signed packages and databases. It
|
|
provides the ability to import and export keys, fetch keys from keyservers and
|
|
update the key trust database.
|
|
|
|
More complex keyring management can be achieved using GnuPG directly combined with
|
|
the '\--homedir' option pointing at the pacman keyring (located in
|
|
+{sysconfdir}/pacman.d/gnupg+ by default).
|
|
|
|
|
|
Options
|
|
-------
|
|
*-a, \--add* [file(s)]::
|
|
Add the key(s) contained in the specified file or files to pacman's
|
|
keyring. If a key already exists, update it.
|
|
|
|
*\--config* <file>::
|
|
Use an alternate config file instead of the +{sysconfdir}/pacman.conf+
|
|
default.
|
|
|
|
*-d, \--delete* <keyid(s)>::
|
|
Remove the key(s) identified by the specified keyid(s) from pacman's
|
|
keyring.
|
|
|
|
*-e, \--export* [keyid(s)]::
|
|
Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid
|
|
is specified, all keys will be exported.
|
|
|
|
*\--edit-key* <keyid(s)>::
|
|
Present a menu for key management task on the specified keyid(s). Useful
|
|
for adjusting a keys trust level.
|
|
|
|
*-f, \--finger* [keyid(s)]::
|
|
List a fingerprint for each specified keyid, or for all known keys if no
|
|
keyids are specified.
|
|
|
|
*\--gpgdir* <dir>::
|
|
Set an alternate home directory for GnuPG. If unspecified, the value is
|
|
read from +{sysconfdir}/pacman.conf+.
|
|
|
|
*-h, \--help*::
|
|
Output syntax and command line options.
|
|
|
|
*\--import* <dir(s)>::
|
|
Imports keys from `pubring.gpg` into the public keyring from the specified
|
|
directories.
|
|
|
|
*\--import-trustdb* <dir(s)> ::
|
|
Imports ownertrust values from `trustdb.gpg` into the shared trust database
|
|
from the specified directories.
|
|
|
|
*\--init*::
|
|
Ensure the keyring is properly initialized and has the required access
|
|
permissions.
|
|
|
|
*\--keyserver* <keyserver>::
|
|
Use the specified keyserver if the operation requires one. This will take
|
|
precedence over any keyserver option specified in a `gpg.conf`
|
|
configuration file. Running '\--init' with this option will set the default
|
|
keyserver if one was not already configured.
|
|
|
|
*-l, \--list-keys* [keyid(s)]::
|
|
Lists all or specified keys from the public keyring.
|
|
|
|
*\--list-sigs* [keyid(s)]::
|
|
Same as '\--list-keys', but the signatures are listed too.
|
|
|
|
*\--lsign-key* <keyid>::
|
|
Locally sign the given key. This is primarily used to root the web of trust
|
|
in the local private key generated by '\--init'.
|
|
|
|
*-r, \--recv-keys* <keyid(s)>::
|
|
Equivalent to '\--recv-keys' in GnuPG.
|
|
|
|
*\--refresh-keys* [keyid(s)]::
|
|
Equivalent to '\--refresh-keys' in GnuPG.
|
|
|
|
*\--populate* [keyring(s)]::
|
|
Reload the default keys from the (optionally provided) keyrings in
|
|
+{pkgdatadir}/keyrings+. For more information, see
|
|
<<SC,Providing a Keyring for Import>> below.
|
|
|
|
*-u, \--updatedb*::
|
|
Equivalent to '\--check-trustdb' in GnuPG.
|
|
|
|
*-v, \--verify* <signature>::
|
|
Verify the given signature file.
|
|
|
|
*-V, \--version*::
|
|
Displays the program version.
|
|
|
|
|
|
Providing a Keyring for Import
|
|
------------------------------
|
|
A distribution or other repository provided may want to provide a set of
|
|
PGP keys used in the signing of its packages and repository databases that can
|
|
be readily imported into the pacman keyring. This is achieved by providing a
|
|
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
|
|
directory +{pkgdatadir}/keyrings+.
|
|
|
|
Optionally, the file `foo-trusted` can be provided containing a list of trusted
|
|
key IDs for that keyring. This is a file in a format compatible with 'gpg
|
|
\--export-ownertrust' output. This file will inform the user which keys a user
|
|
needs to verify and sign to build a local web of trust, in addition to
|
|
assigning provided owner trust values.
|
|
|
|
Also optionally, the file `foo-revoked` can be provided containing a list of
|
|
revoked key IDs for that keyring. Revoked is defined as "no longer valid for
|
|
any signing", so should be used with prudence. A key being marked as revoked
|
|
will be disabled in the keyring and no longer treated as valid, so this always
|
|
takes priority over it's trusted state in any other keyring.
|
|
|
|
|
|
See Also
|
|
--------
|
|
linkman:pacman[8], linkman:pacman.conf[5]
|
|
|
|
include::footer.txt[]
|