From e1b9f7b3005c4d6db9cc84e95a42d4beba6c7e24 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Tue, 23 Aug 2011 16:10:06 +1000 Subject: pacman-key: rework and document holding keys in keyring The HoldKey option was undocumented and was not suited for pacman.conf. Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list of keys not to be removed from the pacman keyring with the --populate option. Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index ff8d38df..3582b993 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid PGP keys used in the signing of its packages and repository databases that can be readily imported into the pacman keyring. This is achieved by providing a PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the -directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be +directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be provided containing a list of revoked key IDs for that keyring. These files are required to be signed (detached) by a trusted PGP key that the user must -manually import to the pacman keyring. This prevents a potentially malicious +manually import to the pacman keyring. This prevents a potentially malicious repository adding keys to the pacman keyring without the users knowledge. +A key being marked as revoked always takes priority over the key being added to +the pacman keyring, regardless of the keyring it is provided in. To prevent a +key from being revoked when using --populate, its ID can be listed in ++{sysconfdir}/pacman.d/gnupg/holdkeys+. See Also -------- -- cgit v1.2.3-24-g4f1b