pacman-key - manage pacman's list of trusted keys
pacman-key [options] operation [targets]
pacman-key is a wrapper script for GnuPG used to manage pacman’s
keyring, which is the collection of PGP keys used to check signed packages and
databases. It provides the ability to import and export keys, fetch keys from
keyservers and update the key trust database.
More complex keyring management can be achieved using GnuPG
directly combined with the --homedir option pointing at the pacman
keyring (located in /etc/pacman.d/gnupg by default).
Invoking pacman-key consists of supplying an operation with any
potential options and targets to operate on. Depending on the operation, a
target may be a valid key identifier, filename, or directory.
Add the key(s) contained in the specified file or files
to pacman’s keyring. If a key already exists, update it.
Remove the key(s) identified by the specified keyid(s)
from pacman’s keyring.
Export key(s) identified by the specified keyid(s) to
stdout. If no keyid is specified, all keys will be exported.
Present a menu for key management task on the specified
keyid(s). Useful for adjusting a keys trust level.
List a fingerprint for each specified keyid, or for all
known keys if no keyids are specified.
Output syntax and command line options.
Imports keys from pubring.gpg into the public keyring
from the specified directories.
Imports ownertrust values from trustdb.gpg into the
shared trust database from the specified directories.
Ensure the keyring is properly initialized and has the
required access permissions.
Lists all or specified keys from the public
Same as --list-keys, but the signatures are listed
Locally sign the given key. This is primarily used to
root the web of trust in the local private key generated by
Disable colored output from pacman-key.
Equivalent to --recv-keys in GnuPG.
Equivalent to --refresh-keys in GnuPG.
Reload the default keys from the (optionally provided)
keyrings in /usr/share/pacman/keyrings. For more information, see Providing a
Keyring for Import below.
Equivalent to --check-trustdb in GnuPG. This
operation can be specified with other operations.
Displays the program version.
Assume that the first argument is a signature and verify
it. If a second argument is provided, it is the file to be verified.
With only one argument given, assume that the signature is a
detached signature, and look for a matching data file to verify by stripping
the file extension. If no matching data file is found, fall back on GnuPG
semantics and attempt to verify a file with an embedded signature.
Use an alternate configuration file instead of the
Set an alternate home directory for GnuPG. If
unspecified, the value is read from /etc/pacman.conf.
Use the specified keyserver if the operation requires
one. This will take precedence over any keyserver option specified in a
gpg.conf configuration file. Running --init with this option will set
the default keyserver if one was not already configured.
A distribution or other repository provided may want to provide a set of PGP
keys used in the signing of its packages and repository databases that can be
readily imported into the pacman keyring. This is achieved by providing a PGP
keyring file foo.gpg that contains the keys for the foo keyring in the
Optionally, the file foo-trusted can be provided containing a list
of trusted key IDs for that keyring. This is a file in a format compatible
with gpg --export-ownertrust output. This file will inform the user
which keys a user needs to verify and sign to build a local web of trust, in
addition to assigning provided owner trust values.
Also optionally, the file foo-revoked can be provided containing a
list of revoked key IDs for that keyring. Revoked is defined as "no
longer valid for any signing", so should be used with prudence. A key
being marked as revoked will be disabled in the keyring and no longer
treated as valid, so this always takes priority over it’s trusted
state in any other keyring.
Bugs? You must be kidding; there are no bugs in this software. But if we happen
to be wrong, submit a bug report with as much detail as possible at the Arch
Linux Bug Tracker in the Pacman section.
•Allan McRae <firstname.lastname@example.org>
Past major contributors:
•Judd Vinet <email@example.com>
•Aaron Griffin <firstname.lastname@example.org>
•Dan McGee <email@example.com>
•Xavier Chantry <firstname.lastname@example.org>
•Nagy Gabor <email@example.com>
•Dave Reisner <firstname.lastname@example.org>
For additional contributors, use git shortlog -s on the pacman.git