'\" t
.\" Title: pacman-key
.\" Author: [see the "Authors" section]
.\" Generator: DocBook XSL Stylesheets vsnapshot
.\" Date: 2024-04-14
.\" Manual: Pacman Manual
.\" Source: Pacman 6.1.0
.\" Language: English
.\"
.TH "PACMAN\-KEY" "8" "2024\-04\-14" "Pacman 6\&.1\&.0" "Pacman Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pacman-key \- manage pacman\*(Aqs list of trusted keys
.SH "SYNOPSIS"
.sp
\fIpacman\-key\fR [options] operation [targets]
.SH "DESCRIPTION"
.sp
\fIpacman\-key\fR is a wrapper script for GnuPG used to manage pacman\(cqs keyring, which is the collection of PGP keys used to check signed packages and databases\&. It provides the ability to import and export keys, fetch keys from keyservers and update the key trust database\&.
.sp
More complex keyring management can be achieved using GnuPG directly combined with the \fI\-\-homedir\fR option pointing at the pacman keyring (located in /etc/pacman\&.d/gnupg by default)\&.
.sp
Invoking pacman\-key consists of supplying an operation with any potential options and targets to operate on\&. Depending on the operation, a \fItarget\fR may be a valid key identifier, filename, or directory\&.
.SH "OPERATIONS"
.PP
\fB\-a, \-\-add\fR
.RS 4
Add the key(s) contained in the specified file or files to pacman\(cqs keyring\&. If a key already exists, update it\&.
.RE
.PP
\fB\-d, \-\-delete\fR
.RS 4
Remove the key(s) identified by the specified keyid(s) from pacman\(cqs keyring\&.
.RE
.PP
\fB\-e, \-\-export\fR
.RS 4
Export key(s) identified by the specified keyid(s) to
\fIstdout\fR\&. If no keyid is specified, all keys will be exported\&.
.RE
.PP
\fB\-\-edit\-key\fR
.RS 4
Present a menu for key management task on the specified keyid(s)\&. Useful for adjusting a keys trust level\&.
.RE
.PP
\fB\-f, \-\-finger\fR
.RS 4
List a fingerprint for each specified keyid, or for all known keys if no keyids are specified\&.
.RE
.PP
\fB\-h, \-\-help\fR
.RS 4
Output syntax and command line options\&.
.RE
.PP
\fB\-\-import\fR
.RS 4
Imports keys from
pubring\&.gpg
into the public keyring from the specified directories\&.
.RE
.PP
\fB\-\-import\-trustdb\fR
.RS 4
Imports ownertrust values from
trustdb\&.gpg
into the shared trust database from the specified directories\&.
.RE
.PP
\fB\-\-init\fR
.RS 4
Ensure the keyring is properly initialized and has the required access permissions\&.
.RE
.PP
\fB\-l, \-\-list\-keys\fR
.RS 4
Lists all or specified keys from the public keyring\&.
.RE
.PP
\fB\-\-list\-sigs\fR
.RS 4
Same as
\fI\-\-list\-keys\fR, but the signatures are listed too\&.
.RE
.PP
\fB\-\-lsign\-key\fR
.RS 4
Locally sign the given key\&. This is primarily used to root the web of trust in the local private key generated by
\fI\-\-init\fR\&.
.RE
.PP
\fB\-\-nocolor\fR
.RS 4
Disable colored output from pacman\-key\&.
.RE
.PP
\fB\-r, \-\-recv\-keys\fR
.RS 4
Equivalent to
\fI\-\-recv\-keys\fR
in GnuPG\&.
.RE
.PP
\fB\-\-refresh\-keys\fR
.RS 4
Equivalent to
\fI\-\-refresh\-keys\fR
in GnuPG\&.
.RE
.PP
\fB\-\-populate\fR
.RS 4
Reload the default keys from the (optionally provided) keyrings in
/usr/share/pacman/keyrings\&. For more information, see
Providing a Keyring for Import
below\&.
.RE
.PP
\fB\-u, \-\-updatedb\fR
.RS 4
Equivalent to
\fI\-\-check\-trustdb\fR
in GnuPG\&. This operation can be specified with other operations\&.
.RE
.PP
\fB\-V, \-\-version\fR
.RS 4
Displays the program version\&.
.RE
.PP
\fB\-v, \-\-verify\fR
.RS 4
Assume that the first argument is a signature and verify it\&. If a second argument is provided, it is the file to be verified\&.
.sp
With only one argument given, assume that the signature is a detached signature, and look for a matching data file to verify by stripping the file extension\&. If no matching data file is found, fall back on GnuPG semantics and attempt to verify a file with an embedded signature\&.
.RE
.SH "OPTIONS"
.PP
\fB\-\-config\fR
.RS 4
Use an alternate configuration file instead of the
/etc/pacman\&.conf
default\&.
.RE
.PP
\fB\-\-gpgdir\fR
.RS 4
Set an alternate home directory for GnuPG\&. If unspecified, the value is read from
/etc/pacman\&.conf\&.
.RE
.PP
\fB\-\-keyserver\fR
.RS 4
Use the specified keyserver if the operation requires one\&. This will take precedence over any keyserver option specified in a
gpg\&.conf
configuration file\&. Running
\fI\-\-init\fR
with this option will set the default keyserver if one was not already configured\&.
.RE
.SH "PROVIDING A KEYRING FOR IMPORT"
.sp
A distribution or other repository provided may want to provide a set of PGP keys used in the signing of its packages and repository databases that can be readily imported into the pacman keyring\&. This is achieved by providing a PGP keyring file foo\&.gpg that contains the keys for the foo keyring in the directory /usr/share/pacman/keyrings\&.
.sp
Optionally, the file foo\-trusted can be provided containing a list of trusted key IDs for that keyring\&. This is a file in a format compatible with \fIgpg \-\-export\-ownertrust\fR output\&. This file will inform the user which keys a user needs to verify and sign to build a local web of trust, in addition to assigning provided owner trust values\&.
.sp
Also optionally, the file foo\-revoked can be provided containing a list of revoked key IDs for that keyring\&. Revoked is defined as "no longer valid for any signing", so should be used with prudence\&. A key being marked as revoked will be disabled in the keyring and no longer treated as valid, so this always takes priority over it\(cqs trusted state in any other keyring\&.
.SH "SEE ALSO"
.sp
\fBpacman\fR(8), \fBpacman.conf\fR(5)
.sp
See the pacman website at https://archlinux\&.org/pacman/ for current information on pacman and its related tools\&.
.SH "BUGS"
.sp
Bugs? You must be kidding; there are no bugs in this software\&. But if we happen to be wrong, submit a bug report with as much detail as possible at the Arch Linux Bug Tracker in the Pacman section\&.
.SH "AUTHORS"
.sp
Current maintainers:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Allan McRae
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Andrew Gregory
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Morgan Adamiec
.RE
.sp
Past major contributors:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Judd Vinet
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Aurelien Foret
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Aaron Griffin
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Dan McGee
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Xavier Chantry
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Nagy Gabor
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Dave Reisner
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
Eli Schwartz
.RE
.sp
For additional contributors, use git shortlog \-s on the pacman\&.git repository\&.