]>
Commit | Line | Data |
---|---|---|
1 | <?xml version="1.0" encoding="utf-8" standalone="no"?> | |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ | |
4 | <!ENTITY % aptent SYSTEM "apt.ent"> %aptent; | |
5 | <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment; | |
6 | <!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor; | |
7 | ]> | |
8 | ||
9 | <refentry> | |
10 | <refentryinfo> | |
11 | &apt-author.jgunthorpe; | |
12 | &apt-author.team; | |
13 | &apt-email; | |
14 | &apt-product; | |
15 | <!-- The last update date --> | |
16 | <date>2016-07-07T00:00:00Z</date> | |
17 | </refentryinfo> | |
18 | ||
19 | <refmeta> | |
20 | <refentrytitle>apt-key</refentrytitle> | |
21 | <manvolnum>8</manvolnum> | |
22 | <refmiscinfo class="manual">APT</refmiscinfo> | |
23 | </refmeta> | |
24 | ||
25 | <!-- Man page title --> | |
26 | <refnamediv> | |
27 | <refname>apt-key</refname> | |
28 | <refpurpose>APT key management utility</refpurpose> | |
29 | </refnamediv> | |
30 | ||
31 | &synopsis-command-apt-key; | |
32 | ||
33 | <refsect1><title>Description</title> | |
34 | <para> | |
35 | <command>apt-key</command> is used to manage the list of keys used | |
36 | by apt to authenticate packages. Packages which have been | |
37 | authenticated using these keys will be considered trusted. | |
38 | </para> | |
39 | <para> | |
40 | Note that if usage of <command>apt-key</command> is desired the additional | |
41 | installation of the GNU Privacy Guard suite (packaged in | |
42 | <package>gnupg</package>) is required. For this reason alone the programmatic | |
43 | usage (especially in package maintainerscripts!) is strongly discouraged. | |
44 | Further more the output format of all commands is undefined and can and does | |
45 | change whenever the underlying commands change. <command>apt-key</command> will | |
46 | try to detect such usage and generates warnings on stderr in these cases. | |
47 | </para> | |
48 | </refsect1> | |
49 | ||
50 | <refsect1><title>Commands</title> | |
51 | <variablelist> | |
52 | <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term> | |
53 | <listitem> | |
54 | <para> | |
55 | Add a new key to the list of trusted keys. | |
56 | The key is read from the filename given with the parameter | |
57 | &synopsis-param-filename; or if the filename is <literal>-</literal> | |
58 | from standard input. | |
59 | </para> | |
60 | <para> | |
61 | It is critical that keys added manually via <command>apt-key</command> are | |
62 | verified to belong to the owner of the repositories they claim to be for | |
63 | otherwise the &apt-secure; infrastructure is completely undermined. | |
64 | </para> | |
65 | <para> | |
66 | Instead of using this command a keyring can be placed directly in the | |
67 | <filename>/etc/apt/trusted.gpg.d/</filename> directory with a descriptive name | |
68 | (same rules for filename apply as for &apt-conf; files) and "<literal>gpg</literal>" | |
69 | as file extension. | |
70 | </para> | |
71 | </listitem> | |
72 | </varlistentry> | |
73 | ||
74 | <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term> | |
75 | <listitem> | |
76 | <para> | |
77 | ||
78 | Remove a key from the list of trusted keys. | |
79 | ||
80 | </para> | |
81 | ||
82 | </listitem> | |
83 | </varlistentry> | |
84 | ||
85 | <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term> | |
86 | <listitem> | |
87 | <para> | |
88 | ||
89 | Output the key &synopsis-param-keyid; to standard output. | |
90 | ||
91 | </para> | |
92 | ||
93 | </listitem> | |
94 | </varlistentry> | |
95 | ||
96 | <varlistentry><term><option>exportall</option></term> | |
97 | <listitem> | |
98 | <para> | |
99 | ||
100 | Output all trusted keys to standard output. | |
101 | ||
102 | </para> | |
103 | ||
104 | </listitem> | |
105 | </varlistentry> | |
106 | ||
107 | <varlistentry><term><option>list</option>, <option>finger</option></term> | |
108 | <listitem> | |
109 | <para> | |
110 | ||
111 | List trusted keys with fingerprints. | |
112 | ||
113 | </para> | |
114 | ||
115 | </listitem> | |
116 | </varlistentry> | |
117 | ||
118 | <varlistentry><term><option>adv</option></term> | |
119 | <listitem> | |
120 | <para> | |
121 | Pass advanced options to gpg. With <command>adv --recv-key</command> you | |
122 | can e.g. download key from keyservers directly into the the trusted set of | |
123 | keys. Note that there are <emphasis>no</emphasis> checks performed, so it is | |
124 | easy to completely undermine the &apt-secure; infrastructure if used without | |
125 | care. | |
126 | </para> | |
127 | ||
128 | </listitem> | |
129 | </varlistentry> | |
130 | ||
131 | <varlistentry><term><option>update</option> (deprecated)</term> | |
132 | <listitem> | |
133 | <para> | |
134 | Update the local keyring with the archive keyring and remove from | |
135 | the local keyring the archive keys which are no longer valid. | |
136 | The archive keyring is shipped in the <literal>archive-keyring</literal> package of your | |
137 | distribution, e.g. the &keyring-package; package in &keyring-distro;. | |
138 | </para> | |
139 | <para> | |
140 | Note that a distribution does not need to and in fact should not use | |
141 | this command any longer and instead ship keyring files in the | |
142 | <filename>/etc/apt/trusted.gpg</filename> directory directly as this | |
143 | avoids a dependency on <package>gnupg</package> and it is easier to manage | |
144 | keys by simply adding and removing files for maintainers and users alike. | |
145 | </para> | |
146 | </listitem> | |
147 | </varlistentry> | |
148 | ||
149 | <varlistentry><term><option>net-update</option></term> | |
150 | <listitem> | |
151 | <para> | |
152 | ||
153 | Perform an update working similarly to the <command>update</command> command above, | |
154 | but get the archive keyring from a URI instead and validate it against a master key. | |
155 | ||
156 | This requires an installed &wget; and an APT build configured to have | |
157 | a server to fetch from and a master keyring to validate. | |
158 | ||
159 | APT in Debian does not support this command, relying on | |
160 | <command>update</command> instead, but Ubuntu's APT does. | |
161 | ||
162 | </para> | |
163 | ||
164 | </listitem> | |
165 | </varlistentry> | |
166 | </variablelist> | |
167 | </refsect1> | |
168 | ||
169 | <refsect1><title>Options</title> | |
170 | <para>Note that options need to be defined before the commands described in the previous section.</para> | |
171 | <variablelist> | |
172 | <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term> | |
173 | <listitem><para>With this option it is possible to specify a particular keyring | |
174 | file the command should operate on. The default is that a command is executed | |
175 | on the <filename>trusted.gpg</filename> file as well as on all parts in the | |
176 | <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename> | |
177 | is the primary keyring which means that e.g. new keys are added to this one. | |
178 | </para></listitem> | |
179 | </varlistentry> | |
180 | </variablelist> | |
181 | </refsect1> | |
182 | ||
183 | <refsect1><title>Files</title> | |
184 | <variablelist> | |
185 | ||
186 | &file-trustedgpg; | |
187 | ||
188 | </variablelist> | |
189 | ||
190 | </refsect1> | |
191 | ||
192 | <refsect1><title>See Also</title> | |
193 | <para> | |
194 | &apt-get;, &apt-secure; | |
195 | </para> | |
196 | </refsect1> | |
197 | ||
198 | &manbugs; | |
199 | &manauthor; | |
200 | ||
201 | </refentry> | |
202 |