LinuxCommandLibrary

tlmgr-key

Manage GPG keys for TeX Live packages

TLDR

List all keys for TeX Live

$ tlmgr key list
copy

Add a key from a specific file
$ sudo tlmgr key add [path/to/key.gpg]
copy

Add a key from stdin
$ cat [path/to/key.gpg] | sudo tlmgr key add -
copy

Remove a specific key by its ID
$ sudo tlmgr key remove [key_id]
copy

SYNOPSIS

tlmgr-key [--help] [--list] [--import ...] [--delete ...]

PARAMETERS

--help
    Displays the help message and exits.

--list
    Lists the currently trusted GPG keys.

--import ...
    Imports one or more GPG keys from the specified files. Each should contain a GPG key in ASCII armored format.

--delete ...
    Deletes one or more GPG keys identified by their key IDs. The key ID can be a short or long form of the key fingerprint.

DESCRIPTION

The `tlmgr-key` command is a utility included with TeX Live Manager (tlmgr) for managing the GPG keys used to verify the integrity and authenticity of TeX Live packages. It allows importing, listing, and deleting GPG keys trusted by tlmgr. Using properly configured keys, you can verify that the packages you install are genuinely from the TeX Live project and have not been tampered with. This is an important security measure.

Without trusted keys, `tlmgr` will issue warnings or refuse to install updates, potentially leaving your system vulnerable to malicious packages. Proper key management ensures a secure and reliable TeX Live installation.

Using `tlmgr-key` properly ensures that your TeX Live distribution only installs verified packages from the official TeX Live repositories. This helps prevent security breaches.

CAVEATS

If you are using a non-standard GPG setup, `tlmgr-key` may require adjustments to its configuration. Also, always verify the authenticity of any imported key before trusting it.

KEY VERIFICATION

Before importing a key, it is crucial to verify its authenticity. Obtain the key fingerprint from a trusted source, such as the TeX Live website or a reputable TeX user group. Compare the fingerprint with the one displayed by `tlmgr-key --list` after importing the key. If they match, you can be reasonably sure that the key is genuine.

SEE ALSO

tlmgr(1)

Copied to clipboard