tlmgr-key

List all keys for TeX Live

$ tlmgr key list

$ sudo tlmgr key add [path/to/key.gpg]

$ cat [path/to/key.gpg] | sudo tlmgr key add -

$ sudo tlmgr key remove [key_id]

tlmgr key [options] [command] [arguments]

Common commands:
tlmgr key list
tlmgr key add keyid
tlmgr key remove keyid
tlmgr key import filename
tlmgr key export keyid
tlmgr key fingerprint keyid

list
    Lists all GPG keys currently trusted by tlmgr for repository verification.

add
    Adds a specific GPG key to the trusted keyring using its 8- or 16-character key ID. The key is typically fetched from a public key server.

remove
    Removes a GPG key from the trusted keyring using its key ID.

import
    Imports one or more GPG keys from a specified file. This is useful for adding keys that are not available on public key servers or provided directly by a mirror.

export
    Exports a specific GPG key from the trusted keyring to standard output or a file.

fingerprint
    Displays the fingerprint of a given key ID, helping to verify the key's authenticity.

tlmgr-key is a subcommand of tlmgr, the TeX Live package manager, specifically designed for managing GPG (GNU Privacy Guard) keys. These keys are crucial for verifying the authenticity and integrity of TeX Live repositories and packages during updates and installations. By using cryptographic signatures, tlmgr-key helps ensure that the packages you download have not been tampered with and originate from trusted sources.

It allows users to list currently trusted keys, add new keys, remove existing ones, and import/export keys, primarily for situations where new mirrors or repository signing keys are introduced. Proper key management is essential for maintaining the security and reliability of your TeX Live installation.

tlmgr-key directly manipulates the GPG keyring used by TeX Live. Incorrectly adding or removing keys can lead to security vulnerabilities if untrusted keys are added, or prevent updates if necessary keys are removed.

Always verify the authenticity of new keys through official TeX Live channels before adding them. Network connectivity is often required for adding keys via public key servers.

GPG key verification is a critical security measure. It ensures that the TeX Live packages you download and install are genuinely from the TeX Live project and have not been altered maliciously during transit. Always prioritize using verified keys to safeguard your system.

When using `tlmgr key add`, the command typically attempts to fetch the key from a public key server. If you are behind a firewall or have specific network configurations, you might need to adjust your environment or import keys manually from a file.

The tlmgr-key functionality was introduced into TeX Live as part of ongoing efforts to enhance the security of package management. Prior to its implementation, verifying the integrity of TeX Live packages relied less on cryptographic signatures, making the update process potentially more vulnerable to tampering. Its inclusion reflects a broader trend in software distribution towards robust digital signature verification to ensure trusted sources and prevent supply chain attacks.

tlmgr(1), gpg(1)