summaryrefslogtreecommitdiff
path: root/doc/apt-key.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/apt-key.8.xml')
-rw-r--r--doc/apt-key.8.xml246
1 files changed, 0 insertions, 246 deletions
diff --git a/doc/apt-key.8.xml b/doc/apt-key.8.xml
deleted file mode 100644
index c6c2d192e..000000000
--- a/doc/apt-key.8.xml
+++ /dev/null
@@ -1,246 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="no"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-<!ENTITY % aptent SYSTEM "apt.ent"> %aptent;
-<!ENTITY % aptverbatiment SYSTEM "apt-verbatim.ent"> %aptverbatiment;
-<!ENTITY % aptvendor SYSTEM "apt-vendor.ent"> %aptvendor;
-]>
-
-<refentry>
- <refentryinfo>
- &apt-author.jgunthorpe;
- &apt-author.team;
- &apt-email;
- &apt-product;
- <!-- The last update date -->
- <date>2024-02-20T00:00:00Z</date>
- </refentryinfo>
-
- <refmeta>
- <refentrytitle>apt-key</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="manual">APT</refmiscinfo>
- </refmeta>
-
- <!-- Man page title -->
- <refnamediv>
- <refname>apt-key</refname>
- <refpurpose>Deprecated APT key management utility</refpurpose>
- </refnamediv>
-
- &synopsis-command-apt-key;
-
- <refsect1><title>Description</title>
- <para>
- <command>apt-key</command> is used to manage the list of keys used
- by apt to authenticate packages. Packages which have been
- authenticated using these keys will be considered trusted.
- </para>
- <para>
- Use of <command>apt-key</command> is deprecated, except for the use of
- <command>apt-key del</command> in maintainer scripts to remove existing
- keys from the main keyring.
- If such usage of <command>apt-key</command> is desired the additional
- installation of the GNU Privacy Guard suite (packaged in
- <package>gnupg</package>) is required.
- </para>
- <para>
- apt-key(8) will last be available in Debian 12 and Ubuntu 24.04.
- </para>
-</refsect1>
-
-<refsect1><title>Supported keyring files</title>
-<para>apt-key supports only the binary OpenPGP format (also known as "GPG key
- public ring") in files with the "<literal>gpg</literal>" extension, not
- the keybox database format introduced in newer &gpg; versions as default
- for keyring files. Binary keyring files intended to be used with any apt
- version should therefore always be created with <command>gpg --export</command>.
-</para>
-<para>Alternatively, if all systems which should be using the created keyring
- have at least apt version >= 1.4 installed, you can use the ASCII armored
- format with the "<literal>asc</literal>" extension instead which can be
- created with <command>gpg --armor --export</command>.
-</para>
-</refsect1>
-
-<refsect1><title>Commands</title>
- <variablelist>
- <varlistentry><term><option>add</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
- <listitem>
- <para>
- Add a new key to the list of trusted keys.
- The key is read from the filename given with the parameter
- &synopsis-param-filename; or if the filename is <literal>-</literal>
- from standard input.
- </para>
- <para>
- It is critical that keys added manually via <command>apt-key</command> are
- verified to belong to the owner of the repositories they claim to be for
- otherwise the &apt-secure; infrastructure is completely undermined.
- </para>
- <para>
- <emphasis>Note</emphasis>: Instead of using this command a keyring
- should be placed directly in the <filename>/etc/apt/trusted.gpg.d/</filename>
- directory with a descriptive name and either "<literal>gpg</literal>" or
- "<literal>asc</literal>" as file extension.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>del</option> <option>&synopsis-param-keyid;</option> (mostly deprecated)</term>
- <listitem>
- <para>
-
- Remove a key from the list of trusted keys.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>export</option> <option>&synopsis-param-keyid;</option> (deprecated)</term>
- <listitem>
- <para>
-
- Output the key &synopsis-param-keyid; to standard output.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>exportall</option> (deprecated)</term>
- <listitem>
- <para>
-
- Output all trusted keys to standard output.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>list</option>, <option>finger</option> (deprecated)</term>
- <listitem>
- <para>
-
- List trusted keys with fingerprints.
-
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>adv</option> (deprecated)</term>
- <listitem>
- <para>
- Pass advanced options to gpg. With <command>adv --recv-key</command> you
- can e.g. download key from keyservers directly into the trusted set of
- keys. Note that there are <emphasis>no</emphasis> checks performed, so it is
- easy to completely undermine the &apt-secure; infrastructure if used without
- care.
- </para>
-
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>update</option> (deprecated)</term>
- <listitem>
- <para>
- Update the local keyring with the archive keyring and remove from
- the local keyring the archive keys which are no longer valid.
- The archive keyring is shipped in the <literal>archive-keyring</literal> package of your
- distribution, e.g. the &keyring-package; package in &keyring-distro;.
- </para>
- <para>
- Note that a distribution does not need to and in fact should not use
- this command any longer and instead ship keyring files in the
- <filename>/etc/apt/trusted.gpg.d/</filename> directory directly as this
- avoids a dependency on <package>gnupg</package> and it is easier to manage
- keys by simply adding and removing files for maintainers and users alike.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry><term><option>net-update</option> (deprecated)</term>
- <listitem>
- <para>
-
- Perform an update working similarly to the <command>update</command> command above,
- but get the archive keyring from a URI instead and validate it against a master key.
-
- This requires an installed &wget; and an APT build configured to have
- a server to fetch from and a master keyring to validate.
-
- APT in Debian does not support this command, relying on
- <command>update</command> instead, but Ubuntu's APT does.
-
- </para>
-
- </listitem>
- </varlistentry>
- </variablelist>
-</refsect1>
-
- <refsect1><title>Options</title>
-<para>Note that options need to be defined before the commands described in the previous section.</para>
- <variablelist>
- <varlistentry><term><option>--keyring</option> <option>&synopsis-param-filename;</option> (deprecated)</term>
- <listitem><para>With this option it is possible to specify a particular keyring
- file the command should operate on. The default is that a command is executed
- on the <filename>trusted.gpg</filename> file as well as on all parts in the
- <filename>trusted.gpg.d</filename> directory, though <filename>trusted.gpg</filename>
- is the primary keyring which means that e.g. new keys are added to this one.
- </para></listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
-
- <refsect1><title>Deprecation</title>
-
- <para>Except for using <command>apt-key del</command> in maintainer scripts, the use of <command>apt-key</command> is deprecated. This section shows how to replace existing use of <command>apt-key</command>.</para>
-
-<para>If your existing use of <command>apt-key add</command> looks like this:</para>
-<para><literal>wget -qO- https://myrepo.example/myrepo.asc | sudo apt-key add -</literal></para>
-<para>Then you can directly replace this with (though note the recommendation below):</para>
-<para><literal>wget -qO- https://myrepo.example/myrepo.asc | sudo tee /etc/apt/trusted.gpg.d/myrepo.asc</literal></para>
-<para>Make sure to use the "<literal>asc</literal>" extension for ASCII armored
-keys and the "<literal>gpg</literal>" extension for the binary OpenPGP
-format (also known as "GPG key public ring"). The binary OpenPGP format works
-for all apt versions, while the ASCII armored format works for apt version >=
-1.4.</para>
-<para><emphasis>Recommended:</emphasis> Instead of placing keys into the <filename>/etc/apt/trusted.gpg.d</filename>
-directory, you can place them anywhere on your filesystem by using the
-<literal>Signed-By</literal> option in your <literal>sources.list</literal> and
-pointing to the filename of the key. See &sources-list; for details.
-Since APT 2.4, <filename>/etc/apt/keyrings</filename> is provided as the recommended
-location for keys not managed by packages.
-When using a deb822-style sources.list, and with apt version >= 2.4, the
-<literal>Signed-By</literal> option can also be used to include the full ASCII
-armored keyring directly in the <literal>sources.list</literal> without an
-additional file.
-</para>
-
- </refsect1>
-
-
- <refsect1><title>Files</title>
- <variablelist>
-
- &file-trustedgpg;
-
- </variablelist>
-
-</refsect1>
-
-<refsect1><title>See Also</title>
-<para>
-&apt-get;, &apt-secure;
-</para>
-</refsect1>
-
- &manbugs;
- &manauthor;
-
-</refentry>
-