1PACMAN-KEY(8) Pacman Manual PACMAN-KEY(8)
2
3
4
6 pacman-key - manage pacman's list of trusted keys
7
9 pacman-key [options] operation [targets]
10
12 pacman-key is a wrapper script for GnuPG used to manage pacman’s
13 keyring, which is the collection of PGP keys used to check signed
14 packages and databases. It provides the ability to import and export
15 keys, fetch keys from keyservers and update the key trust database.
16
17 More complex keyring management can be achieved using GnuPG directly
18 combined with the --homedir option pointing at the pacman keyring
19 (located in /etc/pacman.d/gnupg by default).
20
21 Invoking pacman-key consists of supplying an operation with any
22 potential options and targets to operate on. Depending on the
23 operation, a target may be a valid key identifier, filename, or
24 directory.
25
27 -a, --add
28 Add the key(s) contained in the specified file or files to pacman’s
29 keyring. If a key already exists, update it.
30
31 -d, --delete
32 Remove the key(s) identified by the specified keyid(s) from
33 pacman’s keyring.
34
35 -e, --export
36 Export key(s) identified by the specified keyid(s) to stdout. If no
37 keyid is specified, all keys will be exported.
38
39 --edit-key
40 Present a menu for key management task on the specified keyid(s).
41 Useful for adjusting a keys trust level.
42
43 -f, --finger
44 List a fingerprint for each specified keyid, or for all known keys
45 if no keyids are specified.
46
47 -h, --help
48 Output syntax and command line options.
49
50 --import
51 Imports keys from pubring.gpg into the public keyring from the
52 specified directories.
53
54 --import-trustdb
55 Imports ownertrust values from trustdb.gpg into the shared trust
56 database from the specified directories.
57
58 --init
59 Ensure the keyring is properly initialized and has the required
60 access permissions.
61
62 -l, --list-keys
63 Lists all or specified keys from the public keyring.
64
65 --list-sigs
66 Same as --list-keys, but the signatures are listed too.
67
68 --lsign-key
69 Locally sign the given key. This is primarily used to root the web
70 of trust in the local private key generated by --init.
71
72 --nocolor
73 Disable colored output from pacman-key.
74
75 -r, --recv-keys
76 Equivalent to --recv-keys in GnuPG.
77
78 --refresh-keys
79 Equivalent to --refresh-keys in GnuPG.
80
81 --populate
82 Reload the default keys from the (optionally provided) keyrings in
83 /usr/share/pacman/keyrings. For more information, see Providing a
84 Keyring for Import below.
85
86 -u, --updatedb
87 Equivalent to --check-trustdb in GnuPG. This operation can be
88 specified with other operations.
89
90 -V, --version
91 Displays the program version.
92
93 -v, --verify
94 Assume that the first argument is a signature and verify it. If a
95 second argument is provided, it is the file to be verified.
96
97 With only one argument given, assume that the signature is a
98 detached signature, and look for a matching data file to verify by
99 stripping the file extension. If no matching data file is found,
100 fall back on GnuPG semantics and attempt to verify a file with an
101 embedded signature.
102
104 --config <file>
105 Use an alternate configuration file instead of the /etc/pacman.conf
106 default.
107
108 --gpgdir <dir>
109 Set an alternate home directory for GnuPG. If unspecified, the
110 value is read from /etc/pacman.conf.
111
112 --keyserver <keyserver>
113 Use the specified keyserver if the operation requires one. This
114 will take precedence over any keyserver option specified in a
115 gpg.conf configuration file. Running --init with this option will
116 set the default keyserver if one was not already configured.
117
119 A distribution or other repository provided may want to provide a set
120 of PGP keys used in the signing of its packages and repository
121 databases that can be readily imported into the pacman keyring. This is
122 achieved by providing a PGP keyring file foo.gpg that contains the keys
123 for the foo keyring in the directory /usr/share/pacman/keyrings.
124
125 Optionally, the file foo-trusted can be provided containing a list of
126 trusted key IDs for that keyring. This is a file in a format compatible
127 with gpg --export-ownertrust output. This file will inform the user
128 which keys a user needs to verify and sign to build a local web of
129 trust, in addition to assigning provided owner trust values.
130
131 Also optionally, the file foo-revoked can be provided containing a list
132 of revoked key IDs for that keyring. Revoked is defined as "no longer
133 valid for any signing", so should be used with prudence. A key being
134 marked as revoked will be disabled in the keyring and no longer treated
135 as valid, so this always takes priority over it’s trusted state in any
136 other keyring.
137
139 pacman(8), pacman.conf(5)
140
141 See the pacman website at https://www.archlinux.org/pacman/ for current
142 information on pacman and its related tools.
143
145 Bugs? You must be kidding; there are no bugs in this software. But if
146 we happen to be wrong, submit a bug report with as much detail as
147 possible at the Arch Linux Bug Tracker in the Pacman section.
148
150 Current maintainers:
151
152 • Allan McRae <allan@archlinux.org>
153
154 • Andrew Gregory <andrew.gregory.8@gmail.com>
155
156 • Dan McGee <dan@archlinux.org>
157
158 • Dave Reisner <dreisner@archlinux.org>
159
160 Past major contributors:
161
162 • Judd Vinet <jvinet@zeroflux.org>
163
164 • Aurelien Foret <aurelien@archlinux.org>
165
166 • Aaron Griffin <aaron@archlinux.org>
167
168 • Xavier Chantry <shiningxc@gmail.com>
169
170 • Nagy Gabor <ngaba@bibl.u-szeged.hu>
171
172 For additional contributors, use git shortlog -s on the pacman.git
173 repository.
174
175
176
177Pacman 5.2.1 2021-01-27 PACMAN-KEY(8)