pacman-key

Initialize the pacman keyring

$ sudo pacman-key --init

$ sudo pacman-key --populate

$ pacman-key [[-l|--list-keys]]

$ sudo pacman-key [[-a|--add]] [path/to/keyfile.gpg]

$ sudo pacman-key [[-r|--recv-keys]] "[uid|name|email]"

$ pacman-key [[-f|--finger]] "[uid|name|email]"

$ sudo pacman-key --lsign-key "[uid|name|email]"

$ sudo pacman-key [[-d|--delete]] "[uid|name|email]"

pacman-key [--config <file>] [--arch <arch>] [--dbpath <path>] [--debug] [--verbose] [--quiet] [--help] [--version] <command> [<keyid-or-args>]

--config , -c
    Specify an alternate pacman configuration file.

--arch , -a
    Override system architecture.

--dbpath , -b
    Override the database directory location.

--debug
    Display debug information during execution.

--verbose, -v
    Increase verbosity of output.

--quiet, -q
    Suppress non-essential output.

--help, -h
    Display help and exit.

--version, -V
    Display version information and exit.

--init
    Initialize the pacman keyring directory structure.

--populate [keyring]
    Import and locally sign default keys for a keyring (e.g., archlinux).

--list-keys [keyid]
    List all or specified keys with details.

--list-sigs [keyid]
    List signatures attached to keys.

--finger [keyid]
    Display fingerprints for keys.

--export [keyid]
    Export specified or all keys to stdout.

--import [files...]
    Import keys from files or stdin.

--recv-keys [keyids...]
    Fetch keys from the keyserver.

--lsign-key keyid
    Locally sign a key (for AUR trust).

--edit-key keyid
    Interactively edit key trust via GPG.

--sign-key keyid
    Fully sign a key.

--desig-key keyid
    Designate a key as maintainer.

--del-key keyid
    Remove a key from the keyring.

pacman-key is a command-line tool for managing the GnuPG public keyring used by Pacman, the default package manager in Arch Linux and derivatives like Manjaro. It handles initialization, importing, exporting, listing, signing, and revoking keys essential for verifying package signatures, ensuring software authenticity and integrity against tampering or man-in-the-middle attacks.

The keyring resides in /etc/pacman.d/gnupg, with separate pubring.gpg for public keys and trustdb.gpg for trust levels. On a fresh install, the keyring is empty, so initial setup involves sudo pacman-key --init to create GPG structures, followed by sudo pacman-key --populate archlinux to import official master keys (e.g., from Arch Linux developers). Users can add AUR maintainer keys via import or recv-keys.

Key operations include local signing (--lsign-key) for AUR trust without full certification, editing trust (--edit-key), and exporting for backups. It integrates with GPG but simplifies Pacman-specific workflows. Proper use prevents signature verification failures during pacman -Syu, maintaining secure updates.

Requires root for most operations.
Keyserver access needs network; firewalls may block.
Mishandling keys risks unverified packages or trust compromise.
Not for private keys; pubring only.

/etc/pacman.d/gnupg/ (700 perms, root-owned).
Contains pubring.gpg, trustdb.gpg.

sudo pacman-key --init
sudo pacman-key --populate archlinux

Edit /etc/pacman.d/gnupg/gpg.conf for keyserver (default: hkps://keys.openpgp.org).

Introduced in pacman 4.0 (March 2010) to modularize GPG key management, replacing inline pacman key handling. Evolved with GPG 2.x support and keyserver improvements in later pacman 5.x/6.x releases for better Arch security.

pacman(8), gpg(1), pacman.conf(5), makepkg(8)