pacman-key

Initialize the pacman keyring

$ sudo pacman-key --init

$ sudo pacman-key --populate

$ pacman-key [[-l|--list-keys]]

$ sudo pacman-key [[-a|--add]] [path/to/keyfile.gpg]

$ sudo pacman-key [[-r|--recv-keys]] "[uid|name|email]"

$ pacman-key [[-f|--finger]] "[uid|name|email]"

$ sudo pacman-key --lsign-key "[uid|name|email]"

$ sudo pacman-key [[-d|--delete]] "[uid|name|email]"

pacman-key [options] <operation> [arguments]
pacman-key [options] --recv-keys <keys>...
pacman-key [-hVv] [--nocolor]

init
    Initializes the pacman keyring, creating necessary GnuPG directories and files.

populate [archlinux]
    Populates the keyring with a default set of trusted keys, typically official Arch Linux master keys.

add
    Adds public keys from specified key files to the keyring.

list [keys]
    Lists all keys in the keyring, or specific keys if arguments are provided.

refresh
    Refreshes all keys in the keyring from a configured keyserver to update their status and trust.

finger [keys]
    Displays the fingerprints of all keys or specified keys in the keyring.

sign ...
    Locally signs specified keys, indicating your trust in them.

verify
    Verifies the cryptographic signatures on local files using keys in the keyring.

export ...
    Exports specified public keys from the keyring to standard output or a file.

delete ...
    Deletes specified keys from the keyring.

revoke ...
    Revokes specified keys, marking them as invalid within the keyring.

clean
    Removes untrusted or revoked keys from the keyring.

-h, --help
    Shows a help message and exits.

-V, --version
    Displays version information and exits.

-v, --verbose
    Increases output verbosity.

--nocolor
    Disables colored output.

--keyserver
    Specifies an alternative keyserver to use for key operations.

--keyserver-options
    Passes additional options to the keyserver daemon (dirmngr).

--gpgdir

pacman-key is a critical utility for managing the GnuPG keyring used by pacman, the Arch Linux package manager.
Its primary function is to ensure the integrity and authenticity of packages downloaded and installed on your system.
By verifying cryptographic signatures attached to packages, pacman-key helps prevent the installation of tampered, malicious, or unofficial software.

The command facilitates various operations including initializing the keyring, populating it with official Arch Linux keys, refreshing keys from external keyservers, adding third-party developer keys, signing keys, and revoking or deleting compromised keys.
Proper management of the pacman keyring is paramount for maintaining the security and trustworthiness of your Arch Linux installation, protecting against supply chain attacks and ensuring that only trusted software is executed.

Most pacman-key operations require root privileges to modify the system-wide keyring.
Network connectivity is essential for operations like refreshing or receiving keys from keyservers.
Adding keys from untrusted sources can compromise system security; always verify key fingerprints.

The default location for the pacman keyring is /etc/pacman.d/gnupg/.
This directory contains the GnuPG key database used for signature verification.

For a new Arch Linux installation, the keyring must first be initialized with pacman-key --init.
Subsequently, it's populated with official Arch Linux keys using pacman-key --populate archlinux to ensure trusted package installation from the outset.

The level of signature verification performed by pacman is configured via the SigLevel option in /etc/pacman.conf.
Common settings include Required DatabaseOptional (default) or Required DatabaseRequired, dictating how strictly signatures are checked against the keys managed by pacman-key.

The pacman-key utility was introduced to Arch Linux as a crucial component of its package signing initiative.
This initiative aimed to significantly enhance the security of the Arch Linux distribution by ensuring the authenticity and integrity of all official packages.
Before its implementation, package verification was less robust, relying more on checksums than cryptographic signatures.
With pacman-key, signature verification became a standard and mandatory part of the package installation process, making Arch Linux installations inherently more secure against malicious package injection or tampering.

pacman(8): The primary Arch Linux package manager., gpg(1): The GnuPG command-line tool, used by pacman-key for cryptographic operations., dirmngr(8): A GnuPG component managing interactions with keyservers., pacman.conf(5): The main configuration file for pacman, where signature verification levels are set.