| | 1 | <?xml version="1.0" encoding="utf-8" standalone="no"?> |
| | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| | 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ |
| | 4 | <!ENTITY % aptent SYSTEM "apt.ent"> %aptent; |
| | 5 | <!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment; |
| | 6 | <!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor; |
| | 7 | ]> |
| | 8 | |
| | 9 | <refentry> |
| | 10 | <refentryinfo> |
| | 11 | &apt-author.jgunthorpe; |
| | 12 | &apt-author.team; |
| | 13 | &apt-email; |
| | 14 | &apt-product; |
| | 15 | <!-- The last update date --> |
| | 16 | <date>2016-07-07T00:00:00Z</date> |
| | 17 | </refentryinfo> |
| | 18 | |
| | 19 | <refmeta> |
| | 20 | <refentrytitle>apt-key</refentrytitle> |
| | 21 | <manvolnum>8</manvolnum> |
| | 22 | <refmiscinfo class="manual">APT</refmiscinfo> |
| | 23 | </refmeta> |
| | 24 | |
| | 25 | <!-- Man page title --> |
| | 26 | <refnamediv> |
| | 27 | <refname>apt-key</refname> |
| | 28 | <refpurpose>APT key management utility</refpurpose> |
| | 29 | </refnamediv> |
| | 30 | |
| | 31 | &synopsis-command-apt-key; |
| | 32 | |
| | 33 | <refsect1><title>Description</title> |
| | 34 | <para> |
| | 35 | <command>apt-key</command> is used to manage the list of keys used |
| | 36 | by apt to authenticate packages. Packages which have been |
| | 37 | authenticated using these keys will be considered trusted. |
| | 38 | </para> |
| | 39 | <para> |
| | 40 | Note that if usage of <command>apt-key</command> is desired the additional |
| | 41 | installation of the GNU Privacy Guard suite (packaged in |
| | 42 | <package>gnupg</package>) is required. For this reason alone the programatic |
| | 43 | usage (especially in package maintainerscripts!) is strongly discouraged. |
| | 44 | Further more the output format of all commands is undefined and can and does |
| | 45 | change whenever the underlying commands change. <command>apt-key</command> will |
| | 46 | try to detect such usage and generates warnings on stderr in these cases. |
| | 47 | </para> |
| | 48 | </refsect1> |
| | 49 | |
| | 50 | <refsect1><title>Commands</title> |
| | 51 | <variablelist> |
| | 52 | <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option></term> |
| | 53 | <listitem> |
| | 54 | <para> |
| | 55 | Add a new key to the list of trusted keys. |
| | 56 | The key is read from the filename given with the parameter |
| | 57 | &synopsis-param-filename; or if the filename is <literal>-</literal> |
| | 58 | from standard input. |
| | 59 | </para> |
| | 60 | <para> |
| | 61 | It is critical that keys added manually via <command>apt-key</command> are |
| | 62 | verified to belong to the owner of the repositories they claim to be for |
| | 63 | otherwise the &apt-secure; infrastructure is completely undermined. |
| | 64 | </para> |
| | 65 | <para> |
| | 66 | Instead of using this command a keyring can be placed directly in the |
| | 67 | <filename>/etc/apt/trusted.gpg.d/</filename> directory with a descriptive name |
| | 68 | (same rules for filename apply as for &apt-conf; files) and "<literal>gpg</literal>" |
| | 69 | as file extension. |
| | 70 | </para> |
| | 71 | </listitem> |
| | 72 | </varlistentry> |
| | 73 | |
| | 74 | <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option></term> |
| | 75 | <listitem> |
| | 76 | <para> |
| | 77 | |
| | 78 | Remove a key from the list of trusted keys. |
| | 79 | |
| | 80 | </para> |
| | 81 | |
| | 82 | </listitem> |
| | 83 | </varlistentry> |
| | 84 | |
| | 85 | <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option></term> |
| | 86 | <listitem> |
| | 87 | <para> |
| | 88 | |
| | 89 | Output the key &synopsis-param-keyid; to standard output. |
| | 90 | |
| | 91 | </para> |
| | 92 | |
| | 93 | </listitem> |
| | 94 | </varlistentry> |
| | 95 | |
| | 96 | <varlistentry><term><option>exportall</option></term> |
| | 97 | <listitem> |
| | 98 | <para> |
| | 99 | |
| | 100 | Output all trusted keys to standard output. |
| | 101 | |
| | 102 | </para> |
| | 103 | |
| | 104 | </listitem> |
| | 105 | </varlistentry> |
| | 106 | |
| | 107 | <varlistentry><term><option>list</option>, <option>finger</option></term> |
| | 108 | <listitem> |
| | 109 | <para> |
| | 110 | |
| | 111 | List trusted keys with fingerprints. |
| | 112 | |
| | 113 | </para> |
| | 114 | |
| | 115 | </listitem> |
| | 116 | </varlistentry> |
| | 117 | |
| | 118 | <varlistentry><term><option>adv</option></term> |
| | 119 | <listitem> |
| | 120 | <para> |
| | 121 | Pass advanced options to gpg. With <command>adv --recv-key</command> you |
| | 122 | can e.g. download key from keyservers directly into the the trusted set of |
| | 123 | keys. Note that there are <emphasis>no</emphasis> checks performed, so it is |
| | 124 | easy to completely undermine the &apt-secure; infrastructure if used without |
| | 125 | care. |
| | 126 | </para> |
| | 127 | |
| | 128 | </listitem> |
| | 129 | </varlistentry> |
| | 130 | |
| | 131 | <varlistentry><term><option>update</option> (deprecated)</term> |
| | 132 | <listitem> |
| | 133 | <para> |
| | 134 | Update the local keyring with the archive keyring and remove from |
| | 135 | the local keyring the archive keys which are no longer valid. |
| | 136 | The archive keyring is shipped in the <literal>archive-keyring</literal> package of your |
| | 137 | distribution, e.g. the &keyring-package; package in &keyring-distro;. |
| | 138 | </para> |
| | 139 | <para> |
| | 140 | Note that a distribution does not need to and in fact should not use |
| | 141 | this command any longer and instead ship keyring files in the |
| | 142 | <filename>/etc/apt/trusted.gpg</filename> directory directly as this |
| | 143 | avoids a dependency on <package>gnupg</package> and it is easier to manage |
| | 144 | keys by simply adding and removing files for maintainers and users alike. |
| | 145 | </para> |
| | 146 | </listitem> |
| | 147 | </varlistentry> |
| | 148 | |
| | 149 | <varlistentry><term><option>net-update</option></term> |
| | 150 | <listitem> |
| | 151 | <para> |
| | 152 | |
| | 153 | Perform an update working similarly to the <command>update</command> command above, |
| | 154 | but get the archive keyring from a URI instead and validate it against a master key. |
| | 155 | |
| | 156 | This requires an installed &wget; and an APT build configured to have |
| | 157 | a server to fetch from and a master keyring to validate. |
| | 158 | |
| | 159 | APT in Debian does not support this command, relying on |
| | 160 | <command>update</command> instead, but Ubuntu's APT does. |
| | 161 | |
| | 162 | </para> |
| | 163 | |
| | 164 | </listitem> |
| | 165 | </varlistentry> |
| | 166 | </variablelist> |
| | 167 | </refsect1> |
| | 168 | |
| | 169 | <refsect1><title>Options</title> |
| | 170 | <para>Note that options need to be defined before the commands described in the previous section.</para> |
| | 171 | <variablelist> |
| | 172 | <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option></term> |
| | 173 | <listitem><para>With this option it is possible to specify a particular keyring |
| | 174 | file the command should operate on. The default is that a command is executed |
| | 175 | on the <filename>trusted.gpg</filename> file as well as on all parts in the |
| | 176 | <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename> |
| | 177 | is the primary keyring which means that e.g. new keys are added to this one. |
| | 178 | </para></listitem> |
| | 179 | </varlistentry> |
| | 180 | </variablelist> |
| | 181 | </refsect1> |
| | 182 | |
| | 183 | <refsect1><title>Files</title> |
| | 184 | <variablelist> |
| | 185 | |
| | 186 | &file-trustedgpg; |
| | 187 | |
| | 188 | </variablelist> |
| | 189 | |
| | 190 | </refsect1> |
| | 191 | |
| | 192 | <refsect1><title>See Also</title> |
| | 193 | <para> |
| | 194 | &apt-get;, &apt-secure; |
| | 195 | </para> |
| | 196 | </refsect1> |
| | 197 | |
| | 198 | &manbugs; |
| | 199 | &manauthor; |
| | 200 | |
| | 201 | </refentry> |
| | 202 | |
projects / apt.git / blame_incremental