[apt.git] / doc / apt-key.8.xml

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
]>

<refentry>
 <refentryinfo>
   &apt-author.jgunthorpe;
   &apt-author.team;
   &apt-email;
   &apt-product;
   <!-- The last update date -->
   <date>2016-07-07T00:00:00Z</date>
 </refentryinfo>

 <refmeta>
   <refentrytitle>apt-key</refentrytitle>
   <manvolnum>8</manvolnum>
   <refmiscinfo class="manual">APT</refmiscinfo>
 </refmeta>
 
 <!-- Man page title -->
 <refnamediv>
    <refname>apt-key</refname>
    <refpurpose>APT key management utility</refpurpose>
 </refnamediv>

 &synopsis-command-apt-key;

 <refsect1><title>Description</title>
   <para>
   <command>apt-key</command> is used to manage the list of keys used
   by apt to authenticate packages.  Packages which have been
   authenticated using these keys will be considered trusted.
   </para>
   <para>
   Note that if usage of <command>apt-key</command> is desired the additional
   installation of the GNU Privacy Guard suite (packaged in
   <package>gnupg</package>) is required. For this reason alone the programmatic
   usage (especially in package maintainerscripts!) is strongly discouraged.
   Further more the output format of all commands is undefined and can and does
   change whenever the underlying commands change. <command>apt-key</command> will
   try to detect such usage and generates warnings on stderr in these cases.
   </para>
</refsect1>

<refsect1><title>Commands</title>
   <variablelist>
     <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term>
     <listitem>
     <para>
       Add a new key to the list of trusted keys.
       The key is read from the filename given with the parameter
       &synopsis-param-filename; or if the filename is <literal>-</literal>
       from standard input.
     </para>
     <para>
     It is critical that keys added manually via <command>apt-key</command> are
     verified to belong to the owner of the repositories they claim to be for
     otherwise the &apt-secure; infrastructure is completely undermined.
     </para>
     <para>
       Instead of using this command a keyring can be placed directly in the
       <filename>/etc/apt/trusted.gpg.d/</filename> directory with a descriptive name
       (same rules for filename apply as for &apt-conf; files) and "<literal>gpg</literal>"
       as file extension.
     </para>
     </listitem>
     </varlistentry>

     <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term>
     <listitem>
     <para>

       Remove a key from the list of trusted keys.

     </para>

     </listitem>
     </varlistentry>

     <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term>
     <listitem>
     <para>

        Output the key &synopsis-param-keyid; to standard output.

     </para>

     </listitem>
     </varlistentry>

     <varlistentry><term><option>exportall</option></term>
     <listitem>
     <para>

        Output all trusted keys to standard output.

     </para>

     </listitem>
     </varlistentry>

     <varlistentry><term><option>list</option>, <option>finger</option></term>
     <listitem>
     <para>

       List trusted keys with fingerprints.

     </para>

     </listitem>
     </varlistentry>

     <varlistentry><term><option>adv</option></term>
     <listitem>
     <para>
     Pass advanced options to gpg. With <command>adv --recv-key</command> you
     can e.g. download key from keyservers directly into the the trusted set of
     keys. Note that there are <emphasis>no</emphasis> checks performed, so it is
     easy to completely undermine the &apt-secure; infrastructure if used without
     care.
     </para>

     </listitem>
     </varlistentry>

     <varlistentry><term><option>update</option> (deprecated)</term>
     <listitem>
     <para>
       Update the local keyring with the archive keyring and remove from
       the local keyring the archive keys which are no longer valid.
       The archive keyring is shipped in the <literal>archive-keyring</literal> package of your
       distribution, e.g. the &keyring-package; package in &keyring-distro;.
     </para>
     <para>
       Note that a distribution does not need to and in fact should not use
       this command any longer and instead ship keyring files in the
       <filename>/etc/apt/trusted.gpg</filename> directory directly as this
       avoids a dependency on <package>gnupg</package> and it is easier to manage
       keys by simply adding and removing files for maintainers and users alike.
     </para>
     </listitem>
     </varlistentry>
     
     <varlistentry><term><option>net-update</option></term>
     <listitem>
     <para>

       Perform an update working similarly to the <command>update</command> command above,
       but get the archive keyring from a URI instead and validate it against a master key.

       This requires an installed &wget; and an APT build configured to have
       a server to fetch from and a master keyring to validate.

       APT in Debian does not support this command, relying on
       <command>update</command> instead, but Ubuntu's APT does.

     </para>

     </listitem>
     </varlistentry>
   </variablelist>
</refsect1>

 <refsect1><title>Options</title>
<para>Note that options need to be defined before the commands described in the previous section.</para>
   <variablelist>
      <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term>
      <listitem><para>With this option it is possible to specify a particular keyring
      file the command should operate on. The default is that a command is executed
      on the <filename>trusted.gpg</filename> file as well as on all parts in the
      <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename>
      is the primary keyring which means that e.g. new keys are added to this one.
      </para></listitem>
      </varlistentry>
   </variablelist>
 </refsect1>

 <refsect1><title>Files</title>
   <variablelist>

     &file-trustedgpg;

   </variablelist>

</refsect1>

<refsect1><title>See Also</title>
<para>
&apt-get;, &apt-secure;
</para>
</refsect1>

 &manbugs;
 &manauthor;

</refentry>
Commit	Line	Data
b3d44315	1	<?xml version="1.0" encoding="utf-8" standalone="no"?>
81cf16a2 DK	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
81cf16a2 DK	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
5abbf5bb DK	4	<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
	5	<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
	6	<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
b3d44315 MV	7	]>
	8
	9	<refentry>
45fb8bf7 DK	10	<refentryinfo>
	11	&apt-author.jgunthorpe;
	12	&apt-author.team;
	13	&apt-email;
	14	&apt-product;
	15	<!-- The last update date -->
4bdf29d3	16	<date>2016-07-07T00:00:00Z</date>
45fb8bf7 DK	17	</refentryinfo>
45fb8bf7 DK	18
b3d44315 MV	19	<refmeta>
	20	<refentrytitle>apt-key</refentrytitle>
	21	<manvolnum>8</manvolnum>
f0599b9c	22	<refmiscinfo class="manual">APT</refmiscinfo>
b3d44315 MV	23	</refmeta>
	24
	25	<!-- Man page title -->
	26	<refnamediv>
	27	<refname>apt-key</refname>
	28	<refpurpose>APT key management utility</refpurpose>
	29	</refnamediv>
	30
6e8b4572	31	&synopsis-command-apt-key;
b3d44315 MV	32
	33	<refsect1><title>Description</title>
	34	<para>
	35	<command>apt-key</command> is used to manage the list of keys used
	36	by apt to authenticate packages. Packages which have been
	37	authenticated using these keys will be considered trusted.
	38	</para>
08fcf962 DK	39	<para>
	40	Note that if usage of <command>apt-key</command> is desired the additional
	41	installation of the GNU Privacy Guard suite (packaged in
b9e6db82	42	<package>gnupg</package>) is required. For this reason alone the programmatic
08fcf962 DK	43	usage (especially in package maintainerscripts!) is strongly discouraged.
	44	Further more the output format of all commands is undefined and can and does
	45	change whenever the underlying commands change. <command>apt-key</command> will
	46	try to detect such usage and generates warnings on stderr in these cases.
	47	</para>
b3d44315 MV	48	</refsect1>
	49
	50	<refsect1><title>Commands</title>
	51	<variablelist>
2b9b27c3	52	<varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term>
b3d44315 MV	53	<listitem>
b3d44315 MV	54	<para>
c086ac18 DK	55	Add a new key to the list of trusted keys.
	56	The key is read from the filename given with the parameter
	57	&synopsis-param-filename; or if the filename is <literal>-</literal>
	58	from standard input.
b3d44315	59	</para>
002b1bc4 DK	60	<para>
	61	It is critical that keys added manually via <command>apt-key</command> are
	62	verified to belong to the owner of the repositories they claim to be for
	63	otherwise the &apt-secure; infrastructure is completely undermined.
	64	</para>
08fcf962 DK	65	<para>
	66	Instead of using this command a keyring can be placed directly in the
	67	<filename>/etc/apt/trusted.gpg.d/</filename> directory with a descriptive name
	68	(same rules for filename apply as for &apt-conf; files) and "<literal>gpg</literal>"
	69	as file extension.
	70	</para>
b3d44315 MV	71	</listitem>
	72	</varlistentry>
	73
2b9b27c3	74	<varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term>
b3d44315 MV	75	<listitem>
	76	<para>
	77
	78	Remove a key from the list of trusted keys.
	79
	80	</para>
	81
	82	</listitem>
	83	</varlistentry>
	84
2b9b27c3	85	<varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term>
bf6d5b42 OS	86	<listitem>
	87	<para>
	88
6e8b4572	89	Output the key &synopsis-param-keyid; to standard output.
bf6d5b42 OS	90
	91	</para>
	92
	93	</listitem>
	94	</varlistentry>
	95
2b9b27c3	96	<varlistentry><term><option>exportall</option></term>
bf6d5b42 OS	97	<listitem>
	98	<para>
	99
	100	Output all trusted keys to standard output.
	101
	102	</para>
	103
	104	</listitem>
	105	</varlistentry>
	106
a5f9b45e	107	<varlistentry><term><option>list</option>, <option>finger</option></term>
b3d44315 MV	108	<listitem>
	109	<para>
	110
a5f9b45e	111	List trusted keys with fingerprints.
d2793259	112
b3d44315 MV	113	</para>
b3d44315 MV	114
a8cabc8f LB	115	</listitem>
a8cabc8f LB	116	</varlistentry>
a8cabc8f	117
2b9b27c3	118	<varlistentry><term><option>adv</option></term>
a8cabc8f LB	119	<listitem>
a8cabc8f LB	120	<para>
002b1bc4 DK	121	Pass advanced options to gpg. With <command>adv --recv-key</command> you
	122	can e.g. download key from keyservers directly into the the trusted set of
	123	keys. Note that there are <emphasis>no</emphasis> checks performed, so it is
	124	easy to completely undermine the &apt-secure; infrastructure if used without
	125	care.
a8cabc8f LB	126	</para>
a8cabc8f LB	127
b3d44315 MV	128	</listitem>
b3d44315 MV	129	</varlistentry>
d2793259	130
ec51fe3f	131	<varlistentry><term><option>update</option> (deprecated)</term>
d2793259 MV	132	<listitem>
d2793259 MV	133	<para>
00c6e1a3 MV	134	Update the local keyring with the archive keyring and remove from
	135	the local keyring the archive keys which are no longer valid.
	136	The archive keyring is shipped in the <literal>archive-keyring</literal> package of your
694ef56e	137	distribution, e.g. the &keyring-package; package in &keyring-distro;.
d2793259	138	</para>
f4dcab05 DK	139	<para>
	140	Note that a distribution does not need to and in fact should not use
	141	this command any longer and instead ship keyring files in the
	142	<filename>/etc/apt/trusted.gpg</filename> directory directly as this
	143	avoids a dependency on <package>gnupg</package> and it is easier to manage
	144	keys by simply adding and removing files for maintainers and users alike.
	145	</para>
d2793259 MV	146	</listitem>
d2793259 MV	147	</varlistentry>
f37e6374	148
2b9b27c3	149	<varlistentry><term><option>net-update</option></term>
f37e6374 JAK	150	<listitem>
	151	<para>
	152
6072cbe1 JR	153	Perform an update working similarly to the <command>update</command> command above,
6072cbe1 JR	154	but get the archive keyring from a URI instead and validate it against a master key.
00c6e1a3 MV	155
	156	This requires an installed &wget; and an APT build configured to have
	157	a server to fetch from and a master keyring to validate.
	158
6072cbe1	159	APT in Debian does not support this command, relying on
00c6e1a3	160	<command>update</command> instead, but Ubuntu's APT does.
f37e6374 JAK	161
	162	</para>
	163
	164	</listitem>
	165	</varlistentry>
d2793259 MV	166	</variablelist>
	167	</refsect1>
	168
46e39c8e MV	169	<refsect1><title>Options</title>
	170	<para>Note that options need to be defined before the commands described in the previous section.</para>
	171	<variablelist>
2b9b27c3	172	<varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term>
6072cbe1	173	<listitem><para>With this option it is possible to specify a particular keyring
46e39c8e MV	174	file the command should operate on. The default is that a command is executed
46e39c8e MV	175	on the <filename>trusted.gpg</filename> file as well as on all parts in the
2130caa8	176	<filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename>
46e39c8e MV	177	is the primary keyring which means that e.g. new keys are added to this one.
	178	</para></listitem>
	179	</varlistentry>
	180	</variablelist>
	181	</refsect1>
	182
d2793259 MV	183	<refsect1><title>Files</title>
d2793259 MV	184	<variablelist>
46e39c8e MV	185
46e39c8e MV	186	&file-trustedgpg;
d2793259	187
b3d44315	188	</variablelist>
d2793259	189
b3d44315 MV	190	</refsect1>
b3d44315 MV	191
d2793259 MV	192	<refsect1><title>See Also</title>
	193	<para>
	194	&apt-get;, &apt-secure;
	195	</para>
	196	</refsect1>
b3d44315 MV	197
	198	&manbugs;
	199	&manauthor;
	200
	201	</refentry>
	202