Synopsis
pacman-key [options]
Description
pacman-key is a wrapper script for GnuPG used to manage pacman’s keyring, which is the collection of PGP keys used to check signed packages and databases. It provides the ability to import and export keys, fetch keys from keyservers and update the key trust database.
More complex keyring management can be achieved using GnuPG directly combined with the --homedir option pointing at the pacman keyring (located in /etc/pacman.d/gnupg by default).
Options
- -a, --add [file(s)]
-
Add the key(s) contained in the specified file or files to pacman’s keyring. If a key already exists, update it.
- --config <file>
-
Use an alternate config file instead of the /etc/pacman.conf default.
- -d, --delete <keyid(s)>
-
Remove the key(s) identified by the specified keyid(s) from pacman’s keyring.
- -e, --export [keyid(s)]
-
Export key(s) identified by the specified keyid(s) to stdout. If no keyid is specified, all keys will be exported.
- --edit-key <keyid(s)>
-
Present a menu for key management task on the specified keyid(s). Useful for adjusting a keys trust level.
- -f, --finger [keyid(s)]
-
List a fingerprint for each specified keyid, or for all known keys if no keyids are specified.
- --gpgdir <dir>
-
Set an alternate home directory for GnuPG. If unspecified, the value is read from /etc/pacman.conf.
- -h, --help
-
Output syntax and command line options.
- --import <dir(s)>
-
Imports keys from pubring.gpg into the public keyring from the specified directories.
- --import-trustdb <dir(s)>
-
Imports ownertrust values from trustdb.gpg into the shared trust database from the specified directories.
- --init
-
Ensure the keyring is properly initialized and has the required access permissions.
- --keyserver <keyserver>
-
Use the specified keyserver if the operation requires one. This will take precedence over any keyserver option specified in a gpg.conf configuration file. Running --init with this option will set the default keyserver if one was not already configured.
- -l, --list-keys [keyid(s)]
-
Lists all or specified keys from the public keyring.
- --list-sigs [keyid(s)]
-
Same as --list-keys, but the signatures are listed too.
- --lsign-key <keyid>
-
Locally sign the given key. This is primarily used to root the web of trust in the local private key generated by --init.
- -r, --recv-keys <keyid(s)>
-
Equivalent to --recv-keys in GnuPG.
- --refresh-keys [keyid(s)]
-
Equivalent to --refresh-keys in GnuPG.
- --populate [keyring(s)]
-
Reload the default keys from the (optionally provided) keyrings in /usr/share/pacman/keyrings. For more information, see Providing a Keyring for Import below.
- -u, --updatedb
-
Equivalent to --check-trustdb in GnuPG.
- -v, --verify <signature>
-
Verify the given signature file.
- -V, --version
-
Displays the program version.
Providing a Keyring for Import
A distribution or other repository provided may want to provide a set of PGP keys used in the signing of its packages and repository databases that can be readily imported into the pacman keyring. This is achieved by providing a PGP keyring file foo.gpg that contains the keys for the foo keyring in the directory /usr/share/pacman/keyrings.
Optionally, the file foo-trusted can be provided containing a list of trusted key IDs for that keyring. This is a file in a format compatible with gpg --export-ownertrust output. This file will inform the user which keys a user needs to verify and sign to build a local web of trust, in addition to assigning provided owner trust values.
Also optionally, the file foo-revoked can be provided containing a list of revoked key IDs for that keyring. Revoked is defined as "no longer valid for any signing", so should be used with prudence. A key being marked as revoked will be disabled in the keyring and no longer treated as valid, so this always takes priority over it’s trusted state in any other keyring.
See Also
See the pacman website at http://www.archlinux.org/pacman/ for current information on pacman and its related tools.
Bugs
Bugs? You must be kidding, there are no bugs in this software. But if we happen to be wrong, send us an email with as much detail as possible to pacman-dev@archlinux.org.
Authors
Current maintainers:
-
Allan McRae <allan@archlinux.org>
-
Dan McGee <dan@archlinux.org>
-
Dave Reisner <dreisner@archlinux.org>
Past major contributors:
-
Judd Vinet <jvinet@zeroflux.org>
-
Aurelien Foret <aurelien@archlinux.org>
-
Aaron Griffin <aaron@archlinux.org>
-
Xavier Chantry <shiningxc@gmail.com>
-
Nagy Gabor <ngaba@bibl.u-szeged.hu>
For additional contributors, use git shortlog -s on the pacman.git repository.