Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.

FS#72329 - Add option to pacman-key to wipe existing keyring

Attached to Project: Pacman
Opened by Clar Fon (lightdark) - Sunday, 03 October 2021, 04:26 GMT
Last edited by Andreas Radke (AndyRTR) - Sunday, 10 October 2021, 18:25 GMT
Task Type Feature Request
Category General
Status Assigned
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 6.0.0
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


The existing Arch Linux docker image already uses a custom set of commands to remove the private keys from `/etc/pacman.d/gnupg`, to ensure that containers can't be exploited by containing the same common private key. This command would be useful in general for people who want to create their own rootfs distributions, or who have potentially had their rootfs compromised and would like to generate a new keyring.

Ideally, users would be able to run a `pacman-key --wipe` command to perform this operation, meaning that a `pacman-key --init` would have to be run before packages can be installed. There could potentially also be a `pacman-key --rotate` operation which would combine these two operations.

A link to the relevant code in the docker repo (at the time of writing) be found here:

Ideally, this would just wipe out the keys and not remove any `gpg.conf` or `gpg-agent.conf` files already existing in the directory, as the linked version does.
This task depends upon