PACMAN-KEY(8) Pacman Manual PACMAN-KEY(8)
NAME
pacman-key - manage pacman's list of trusted keys
SYNOPSIS
pacman-key [options] operation [targets]
DESCRIPTION
pacman-key is a wrapper script for GnuPG used to manage pacman’s
keyring, which is the collection of PGP keys used to check signed
packages and databases. It provides the ability to import and export
keys, fetch keys from keyservers and update the key trust database.
More complex keyring management can be achieved using GnuPG directly
combined with the --homedir option pointing at the pacman keyring
(located in /etc/pacman.d/gnupg by default).
Invoking pacman-key consists of supplying an operation with any
potential options and targets to operate on. Depending on the
operation, a target may be a valid key identifier, filename, or
directory.
OPERATIONS
-a, --add
Add the key(s) contained in the specified file or files to pacman’s
keyring. If a key already exists, update it.
-d, --delete
Remove the key(s) identified by the specified keyid(s) from
pacman’s keyring.
-e, --export
Export key(s) identified by the specified keyid(s) to stdout. If no
keyid is specified, all keys will be exported.
--edit-key
Present a menu for key management task on the specified keyid(s).
Useful for adjusting a keys trust level.
-f, --finger
List a fingerprint for each specified keyid, or for all known keys
if no keyids are specified.
-h, --help
Output syntax and command line options.
--import
Imports keys from pubring.gpg into the public keyring from the
specified directories.
--import-trustdb
Imports ownertrust values from trustdb.gpg into the shared trust
database from the specified directories.
--init
Ensure the keyring is properly initialized and has the required
access permissions.
-l, --list-keys
Lists all or specified keys from the public keyring.
--list-sigs
Same as --list-keys, but the signatures are listed too.
--lsign-key
Locally sign the given key. This is primarily used to root the web
of trust in the local private key generated by --init.
--nocolor
Disable colored output from pacman-key.
-r, --recv-keys
Equivalent to --recv-keys in GnuPG.
--refresh-keys
Equivalent to --refresh-keys in GnuPG.
--populate
Reload the default keys from the (optionally provided) keyrings in
/usr/share/pacman/keyrings. For more information, see Providing a
Keyring for Import below.
-u, --updatedb
Equivalent to --check-trustdb in GnuPG. This operation can be
specified with other operations.
-V, --version
Displays the program version.
-v, --verify
Assume that the first argument is a signature and verify it. If a
second argument is provided, it is the file to be verified.
With only one argument given, assume that the signature is a
detached signature, and look for a matching data file to verify by
stripping the file extension. If no matching data file is found,
fall back on GnuPG semantics and attempt to verify a file with an
embedded signature.
OPTIONS
--config <file>
Use an alternate configuration file instead of the /etc/pacman.conf
default.
--gpgdir <dir>
Set an alternate home directory for GnuPG. If unspecified, the
value is read from /etc/pacman.conf.
--keyserver <keyserver>
Use the specified keyserver if the operation requires one. This
will take precedence over any keyserver option specified in a
gpg.conf configuration file. Running --init with this option will
set the default keyserver if one was not already configured.
PROVIDING A KEYRING FOR IMPORT
A distribution or other repository provided may want to provide a set
of PGP keys used in the signing of its packages and repository
databases that can be readily imported into the pacman keyring. This is
achieved by providing a PGP keyring file foo.gpg that contains the keys
for the foo keyring in the directory /usr/share/pacman/keyrings.
Optionally, the file foo-trusted can be provided containing a list of
trusted key IDs for that keyring. This is a file in a format compatible
with gpg --export-ownertrust output. This file will inform the user
which keys a user needs to verify and sign to build a local web of
trust, in addition to assigning provided owner trust values.
Also optionally, the file foo-revoked can be provided containing a list
of revoked key IDs for that keyring. Revoked is defined as "no longer
valid for any signing", so should be used with prudence. A key being
marked as revoked will be disabled in the keyring and no longer treated
as valid, so this always takes priority over it’s trusted state in any
other keyring.
SEE ALSO
pacman(8), pacman.conf(5)
See the pacman website at https://archlinux.org/pacman/ for current
information on pacman and its related tools.
BUGS
Bugs? You must be kidding; there are no bugs in this software. But if
we happen to be wrong, please report them to the issue tracker at
https://gitlab.archlinux.org/pacman/pacman/-/issues with specific
information such as your command-line, the nature of the bug, and even
the package database if it helps.
AUTHORS
Current maintainers:
• Allan McRae <allan@archlinux.org>
• Andrew Gregory <andrew.gregory.8@gmail.com>
• Morgan Adamiec <morganamilo@archlinux.org>
Past major contributors:
• Judd Vinet <jvinet@zeroflux.org>
• Aurelien Foret <aurelien@archlinux.org>
• Aaron Griffin <aaron@archlinux.org>
• Dan McGee <dan@archlinux.org>
• Xavier Chantry <shiningxc@gmail.com>
• Nagy Gabor <ngaba@bibl.u-szeged.hu>
• Dave Reisner <dreisner@archlinux.org>
• Eli Schwartz <eschwartz@archlinux.org>
For additional contributors, use git shortlog -s on the pacman.git
repository.
Pacman 7.0.0 2025-06-03 PACMAN-KEY(8)
pacman key \- manage pacman\(aqs list of trusted keys