]>
Commit | Line | Data |
---|---|---|
b3d44315 | 1 | <?xml version="1.0" encoding="utf-8" standalone="no"?> |
81cf16a2 DK |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ | |
5abbf5bb DK |
4 | <!ENTITY % aptent SYSTEM "apt.ent"> %aptent; |
5 | <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment; | |
6 | <!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor; | |
b3d44315 MV |
7 | ]> |
8 | ||
9 | <refentry> | |
45fb8bf7 DK |
10 | <refentryinfo> |
11 | &apt-author.jgunthorpe; | |
12 | &apt-author.team; | |
13 | &apt-email; | |
14 | &apt-product; | |
15 | <!-- The last update date --> | |
4bdf29d3 | 16 | <date>2016-07-07T00:00:00Z</date> |
45fb8bf7 DK |
17 | </refentryinfo> |
18 | ||
b3d44315 MV |
19 | <refmeta> |
20 | <refentrytitle>apt-key</refentrytitle> | |
21 | <manvolnum>8</manvolnum> | |
f0599b9c | 22 | <refmiscinfo class="manual">APT</refmiscinfo> |
b3d44315 MV |
23 | </refmeta> |
24 | ||
25 | <!-- Man page title --> | |
26 | <refnamediv> | |
27 | <refname>apt-key</refname> | |
28 | <refpurpose>APT key management utility</refpurpose> | |
29 | </refnamediv> | |
30 | ||
6e8b4572 | 31 | &synopsis-command-apt-key; |
b3d44315 MV |
32 | |
33 | <refsect1><title>Description</title> | |
34 | <para> | |
35 | <command>apt-key</command> is used to manage the list of keys used | |
36 | by apt to authenticate packages. Packages which have been | |
37 | authenticated using these keys will be considered trusted. | |
38 | </para> | |
08fcf962 DK |
39 | <para> |
40 | Note that if usage of <command>apt-key</command> is desired the additional | |
41 | installation of the GNU Privacy Guard suite (packaged in | |
b9e6db82 | 42 | <package>gnupg</package>) is required. For this reason alone the programmatic |
08fcf962 DK |
43 | usage (especially in package maintainerscripts!) is strongly discouraged. |
44 | Further more the output format of all commands is undefined and can and does | |
45 | change whenever the underlying commands change. <command>apt-key</command> will | |
46 | try to detect such usage and generates warnings on stderr in these cases. | |
47 | </para> | |
b3d44315 MV |
48 | </refsect1> |
49 | ||
f77ea823 DK |
50 | <refsect1><title>Supported keyring files</title> |
51 | <para>apt-key supports only the binary OpenPGP format (also known as "GPG key | |
52 | public ring") in files with the "<literal>gpg</literal>" extension, not | |
53 | the keybox database format introduced in newer &gpg; versions as default | |
54 | for keyring files. Binary keyring files intended to be used with any apt | |
55 | version should therefore always be created with <command>gpg --export</command>. | |
56 | </para> | |
57 | <para>Alternatively, if all systems which should be using the created keyring | |
58 | have at least apt version >= 1.4 installed, you can use the ASCII armored | |
59 | format with the "<literal>asc</literal>" extension instead which can be | |
60 | created with <command>gpg --armor --export</command>. | |
61 | </para> | |
62 | </refsect1> | |
63 | ||
b3d44315 MV |
64 | <refsect1><title>Commands</title> |
65 | <variablelist> | |
2b9b27c3 | 66 | <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term> |
b3d44315 MV |
67 | <listitem> |
68 | <para> | |
c086ac18 DK |
69 | Add a new key to the list of trusted keys. |
70 | The key is read from the filename given with the parameter | |
71 | &synopsis-param-filename; or if the filename is <literal>-</literal> | |
72 | from standard input. | |
b3d44315 | 73 | </para> |
002b1bc4 DK |
74 | <para> |
75 | It is critical that keys added manually via <command>apt-key</command> are | |
76 | verified to belong to the owner of the repositories they claim to be for | |
77 | otherwise the &apt-secure; infrastructure is completely undermined. | |
78 | </para> | |
08fcf962 | 79 | <para> |
f77ea823 DK |
80 | <emphasis>Note</emphasis>: Instead of using this command a keyring |
81 | should be placed directly in the <filename>/etc/apt/trusted.gpg.d/</filename> | |
82 | directory with a descriptive name and either "<literal>gpg</literal>" or | |
83 | "<literal>asc</literal>" as file extension. | |
08fcf962 | 84 | </para> |
b3d44315 MV |
85 | </listitem> |
86 | </varlistentry> | |
87 | ||
2b9b27c3 | 88 | <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term> |
b3d44315 MV |
89 | <listitem> |
90 | <para> | |
91 | ||
92 | Remove a key from the list of trusted keys. | |
93 | ||
94 | </para> | |
95 | ||
96 | </listitem> | |
97 | </varlistentry> | |
98 | ||
2b9b27c3 | 99 | <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term> |
bf6d5b42 OS |
100 | <listitem> |
101 | <para> | |
102 | ||
6e8b4572 | 103 | Output the key &synopsis-param-keyid; to standard output. |
bf6d5b42 OS |
104 | |
105 | </para> | |
106 | ||
107 | </listitem> | |
108 | </varlistentry> | |
109 | ||
2b9b27c3 | 110 | <varlistentry><term><option>exportall</option></term> |
bf6d5b42 OS |
111 | <listitem> |
112 | <para> | |
113 | ||
114 | Output all trusted keys to standard output. | |
115 | ||
116 | </para> | |
117 | ||
118 | </listitem> | |
119 | </varlistentry> | |
120 | ||
a5f9b45e | 121 | <varlistentry><term><option>list</option>, <option>finger</option></term> |
b3d44315 MV |
122 | <listitem> |
123 | <para> | |
124 | ||
a5f9b45e | 125 | List trusted keys with fingerprints. |
d2793259 | 126 | |
b3d44315 MV |
127 | </para> |
128 | ||
a8cabc8f LB |
129 | </listitem> |
130 | </varlistentry> | |
a8cabc8f | 131 | |
2b9b27c3 | 132 | <varlistentry><term><option>adv</option></term> |
a8cabc8f LB |
133 | <listitem> |
134 | <para> | |
002b1bc4 DK |
135 | Pass advanced options to gpg. With <command>adv --recv-key</command> you |
136 | can e.g. download key from keyservers directly into the the trusted set of | |
137 | keys. Note that there are <emphasis>no</emphasis> checks performed, so it is | |
138 | easy to completely undermine the &apt-secure; infrastructure if used without | |
139 | care. | |
a8cabc8f LB |
140 | </para> |
141 | ||
b3d44315 MV |
142 | </listitem> |
143 | </varlistentry> | |
d2793259 | 144 | |
ec51fe3f | 145 | <varlistentry><term><option>update</option> (deprecated)</term> |
d2793259 MV |
146 | <listitem> |
147 | <para> | |
00c6e1a3 MV |
148 | Update the local keyring with the archive keyring and remove from |
149 | the local keyring the archive keys which are no longer valid. | |
150 | The archive keyring is shipped in the <literal>archive-keyring</literal> package of your | |
694ef56e | 151 | distribution, e.g. the &keyring-package; package in &keyring-distro;. |
d2793259 | 152 | </para> |
f4dcab05 DK |
153 | <para> |
154 | Note that a distribution does not need to and in fact should not use | |
155 | this command any longer and instead ship keyring files in the | |
f77ea823 | 156 | <filename>/etc/apt/trusted.gpg.d/</filename> directory directly as this |
f4dcab05 DK |
157 | avoids a dependency on <package>gnupg</package> and it is easier to manage |
158 | keys by simply adding and removing files for maintainers and users alike. | |
159 | </para> | |
d2793259 MV |
160 | </listitem> |
161 | </varlistentry> | |
f37e6374 | 162 | |
2b9b27c3 | 163 | <varlistentry><term><option>net-update</option></term> |
f37e6374 JAK |
164 | <listitem> |
165 | <para> | |
166 | ||
6072cbe1 JR |
167 | Perform an update working similarly to the <command>update</command> command above, |
168 | but get the archive keyring from a URI instead and validate it against a master key. | |
00c6e1a3 MV |
169 | |
170 | This requires an installed &wget; and an APT build configured to have | |
171 | a server to fetch from and a master keyring to validate. | |
172 | ||
6072cbe1 | 173 | APT in Debian does not support this command, relying on |
00c6e1a3 | 174 | <command>update</command> instead, but Ubuntu's APT does. |
f37e6374 JAK |
175 | |
176 | </para> | |
177 | ||
178 | </listitem> | |
179 | </varlistentry> | |
d2793259 MV |
180 | </variablelist> |
181 | </refsect1> | |
182 | ||
46e39c8e MV |
183 | <refsect1><title>Options</title> |
184 | <para>Note that options need to be defined before the commands described in the previous section.</para> | |
185 | <variablelist> | |
2b9b27c3 | 186 | <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term> |
6072cbe1 | 187 | <listitem><para>With this option it is possible to specify a particular keyring |
46e39c8e MV |
188 | file the command should operate on. The default is that a command is executed |
189 | on the <filename>trusted.gpg</filename> file as well as on all parts in the | |
2130caa8 | 190 | <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename> |
46e39c8e MV |
191 | is the primary keyring which means that e.g. new keys are added to this one. |
192 | </para></listitem> | |
193 | </varlistentry> | |
194 | </variablelist> | |
195 | </refsect1> | |
196 | ||
d2793259 MV |
197 | <refsect1><title>Files</title> |
198 | <variablelist> | |
46e39c8e MV |
199 | |
200 | &file-trustedgpg; | |
d2793259 | 201 | |
b3d44315 | 202 | </variablelist> |
d2793259 | 203 | |
b3d44315 MV |
204 | </refsect1> |
205 | ||
d2793259 MV |
206 | <refsect1><title>See Also</title> |
207 | <para> | |
208 | &apt-get;, &apt-secure; | |
209 | </para> | |
210 | </refsect1> | |
b3d44315 MV |
211 | |
212 | &manbugs; | |
213 | &manauthor; | |
214 | ||
215 | </refentry> | |
216 |