.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CAFF 1"
.TH CAFF 1 "2019-05-05" "perl v5.28.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
caff \-\- CA \- Fire and Forget
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.IP "\fBcaff\fR [\-eERS] [\-m \fIyes|ask\-yes|ask\-no|no\fR] [\-u \fIyourkeyid\fR] \fIkeyid\fR [\fIkeyid\fR ..]" 4
.IX Item "caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]"
.PD 0
.IP "\fBcaff\fR [\-eERS] [\-m \fIyes|ask\-yes|ask\-no|no\fR] [\-u \fIyourkeyid\fR] [\fIkeyid\fR ..] <\fI/path/to/ksp\-annotated.txt\fR" 4
.IX Item "caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..] </path/to/ksp-annotated.txt"
.PD
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1CA\s0 Fire and Forget is a script that helps you in keysigning.  It takes a list
of keyids on the command line, fetches them from a keyserver and calls GnuPG so
that you can sign it.  It then mails each key to all its email addresses \- only
including the one \s-1UID\s0 that we send to in each mail, pruned from all but self
sigs and sigs done by you.  The mailed key is encrypted with itself as a means
to verify that key belongs to the recipient.
.PP
The list of keys to sign can also be provided through caff's standard
input, as \fBgpgparticipants\fR\|(1) formatted content.  Only keys for which
both the \*(L"Fingerprint \s-1OK\*(R"\s0 and \*(L"\s-1ID OK\*(R"\s0 boxes are ticked (i.e., marked
with an \*(L"x\*(R") are considered for signing.  Furthermore, the input header
must include at least one checksum line, and all checksum boxes must be
marked as verified (with an \*(L"x\*(R").
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-e\fR, \fB\-\-export\-old\fR" 4
.IX Item "-e, --export-old"
Export old signatures. Default is to ask the user for each old signature.
.IP "\fB\-E\fR, \fB\-\-no\-export\-old\fR" 4
.IX Item "-E, --no-export-old"
Do not export old signatures. Default is to ask the user for each old
signature.
.IP "\fB\-m\fR, \fB\-\-mail\fR \fIyes|ask\-yes|ask\-no|no\fR" 4
.IX Item "-m, --mail yes|ask-yes|ask-no|no"
Whether to send mail after signing. Default is to ask, for each uid,
with a default value of yes.
.IP "\fB\-R\fR, \fB\-\-no\-download\fR" 4
.IX Item "-R, --no-download"
Do not retrieve the key to be signed from a keyserver.
.IP "\fB\-S\fR, \fB\-\-no\-sign\fR" 4
.IX Item "-S, --no-sign"
Do not sign the keys.
.IP "\fB\-u\fR \fIyourkeyid\fR, \fB\-\-local\-user\fR \fIyourkeyid\fR" 4
.IX Item "-u yourkeyid, --local-user yourkeyid"
Select the key that is used for signing, in case you have more than one key.
To sign with multiple keys at once, separate multiple keyids by comma. This
option requires the key(s) to be defined through the keyid variable in the
configuration file.
.IP "\fB\-\-key\-file\fR \fIfile\fR" 4
.IX Item "--key-file file"
Import keys from file. Can be supplied more than once.
.IP "\fB\-\-keys\-from\-gnupg\fR" 4
.IX Item "--keys-from-gnupg"
Try to import keys from your standard GnuPG keyrings.
.IP "\fB\-\-debug\fR" 4
.IX Item "--debug"
Enable debug messages.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fI\s-1HOME\s0\fR" 4
.IX Item "HOME"
The default home directory.
.IP "\fI\s-1GNUPGBIN\s0\fR" 4
.IX Item "GNUPGBIN"
The gpg binary.  Default: \f(CW"gpg"\fR.
.IP "\fI\s-1GNUPGHOME\s0\fR" 4
.IX Item "GNUPGHOME"
The default working directory for gpg.  Default: \f(CW\*(C`$HOME/.gnupg\*(C'\fR.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "$HOME/.caffrc  \-  configuration file" 4
.el .IP "\f(CW$HOME\fR/.caffrc  \-  configuration file" 4
.IX Item "$HOME/.caffrc - configuration file"
.PD 0
.ie n .IP "$HOME/.caff/keys/yyyy\-mm\-dd/  \-  processed keys" 4
.el .IP "\f(CW$HOME\fR/.caff/keys/yyyy\-mm\-dd/  \-  processed keys" 4
.IX Item "$HOME/.caff/keys/yyyy-mm-dd/ - processed keys"
.ie n .IP "$HOME/.caff/gnupghome/  \-  caff's working directory for gpg" 4
.el .IP "\f(CW$HOME\fR/.caff/gnupghome/  \-  caff's working directory for gpg" 4
.IX Item "$HOME/.caff/gnupghome/ - caff's working directory for gpg"
.ie n .IP "$HOME/.caff/gnupghome/gpg.conf  \-  gpg configuration (see \fB\s-1NOTES\s0\fR below)" 4
.el .IP "\f(CW$HOME\fR/.caff/gnupghome/gpg.conf  \-  gpg configuration (see \fB\s-1NOTES\s0\fR below)" 4
.IX Item "$HOME/.caff/gnupghome/gpg.conf - gpg configuration (see NOTES below)"
.PD
useful options include use-agent, keyserver, keyserver-options, default-cert-level, etc.
.SH "CONFIGURATION FILE OPTIONS"
.IX Header "CONFIGURATION FILE OPTIONS"
The configuration file is a perl script that sets values in the hash \fB\f(CB%CONFIG\fB\fR.
The file is generated when it does not exist.
.PP
Example:
.PP
.Vb 3
\&        $CONFIG{\*(Aqowner\*(Aq} = q{Peter Palfrader};
\&        $CONFIG{\*(Aqemail\*(Aq} = q{peter@palfrader.org};
\&        $CONFIG{\*(Aqkeyid\*(Aq} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];
.Ve
.SS "Required basic settings"
.IX Subsection "Required basic settings"
.IP "\fBowner\fR [string]" 4
.IX Item "owner [string]"
Your name.  \fB\s-1REQUIRED\s0\fR.
.IP "\fBemail\fR [string]" 4
.IX Item "email [string]"
Your email address, used in From: lines.  \fB\s-1REQUIRED\s0\fR.
.IP "\fBkeyid\fR [list of keyids]" 4
.IX Item "keyid [list of keyids]"
A list of your keys.  This is used to determine which signatures to keep
in the pruning step.  If you select a key using \fB\-u\fR it has to be in
this list.  \fB\s-1REQUIRED\s0\fR.
.SS "General settings"
.IX Subsection "General settings"
.IP "\fBcaffhome\fR [string]" 4
.IX Item "caffhome [string]"
Base directory for the files caff stores.  Default: \fB\f(CB$HOME\fB/.caff/\fR.
.IP "\fBcolors\fR [hash]" 4
.IX Item "colors [hash]"
How to color output messages.  See the \f(CW\*(C`Term::ANSIColor\*(C'\fR documentation
for the list of supported colors; colored output can be disabled by
setting this option to an empty hash \fB{}\fR.  Default:
.Sp
.Vb 7
\&        { error => \*(Aqbold bright_red\*(Aq
\&        , warn => \*(Aqbright_red\*(Aq
\&        , notice => \*(Aqbold\*(Aq
\&        , info => \*(Aq\*(Aq
\&        , success => \*(Aqgreen\*(Aq # used in combination with \*(Aqnotice\*(Aq and \*(Aqinfo\*(Aq
\&        , fail => \*(Aqyellow\*(Aq   # used in combination with \*(Aqnotice\*(Aq and \*(Aqinfo\*(Aq
\&        }
.Ve
.SS "GnuPG settings"
.IX Subsection "GnuPG settings"
.IP "\fBgpg\fR [string]" 4
.IX Item "gpg [string]"
Path to the GnuPG binary.  Default: The value of the \fI\s-1GNUPGBIN\s0\fR
environment variable if set, otherwise \f(CW\*(C`gpg\*(C'\fR.
.IP "\fBsecret-keyring\fR [string]" 4
.IX Item "secret-keyring [string]"
Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOME
of the agent managing the secret key material (GnuPG >= 2.1).
Default: \fB\f(CB$HOME\fB/.gnupg/secring.gpg\fR.
If the value is not a directory with GnuPG >= 2.1, the parent directory
(i.e., \fB\f(CB$HOME\fB/.gnupg\fR by default) is considered instead.
.IP "\fBalso-encrypt-to\fR [keyid, or list of keyids]" 4
.IX Item "also-encrypt-to [keyid, or list of keyids]"
Additional keyids to encrypt messages to. Default: none.
.IP "\fBgpg-sign-type\fR [string]" 4
.IX Item "gpg-sign-type [string]"
The prefix to the \*(L"sign\*(R" command used to make the signature from gpg's
shell.  Can be set to a mix of \*(L"l\*(R" (local), \*(L"nr\*(R" (non-revocable) or \*(L"t\*(R"
(trust) to make a signature of the given type.  See \fBgpg\fR\|(1) for
details.  Default: "" (i.e., make a regular, exportable, signature).
.IP "\fBgpg-sign-args\fR [string]" 4
.IX Item "gpg-sign-args [string]"
Additional commands to pass to gpg after the \*(L"sign\*(R" command.
Default: none.
.SS "Key import settings"
.IX Subsection "Key import settings"
.IP "\fBno-download\fR [boolean]" 4
.IX Item "no-download [boolean]"
If true, then skip the step of fetching keys from the keyserver.
Default: \fB0\fR.
.IP "\fBkey-files\fR [list of files]" 4
.IX Item "key-files [list of files]"
A list of files containing keys to be imported.
.SS "Signing settings"
.IX Subsection "Signing settings"
.IP "\fBno-sign\fR [boolean]" 4
.IX Item "no-sign [boolean]"
If true, then skip the signing step. Default: \fB0\fR.
.IP "\fBask-sign\fR [boolean]" 4
.IX Item "ask-sign [boolean]"
If true, then pause before continuing to the signing step.
This is useful for offline signing. Default: \fB0\fR.
.IP "\fBexport-sig-age\fR [seconds]" 4
.IX Item "export-sig-age [seconds]"
Don't export UIDs by default, on which your latest signature is older
than this age.  Default: \fB24*60*60\fR (i.e. one day).
.IP "\fBlocal-user\fR [keyid, or list of keyids]" 4
.IX Item "local-user [keyid, or list of keyids]"
Select the key that is used for signing, in case you have more than one key.
With multiple keyids, sign with each key in turn.
.IP "\fBalso-lsign-in-gnupghome\fR [auto|ask|no]" 4
.IX Item "also-lsign-in-gnupghome [auto|ask|no]"
Whether to locally sign the UIDs in the user's GnuPGHOME, in addition to
caff's signatures in its own GnuPGHOME.  Such signatures are not
exportable.  This can be useful when the recipient forgets to upload the
signatures caff sent (or if they are non-exportable as well), as it
gives a way to keep track of which UIDs were verified.  However, note
that local signatures will not be deleted once the recipient does the
upload and the signer refreshes her keyring.
.Sp
If the value is not \fIno\fR and if \fBgpg-sign-type\fR contains \*(L"l\*(R", each
(local) signature is merely exported from caff's own GnuPGHOME to the
user's.  Otherwise, if the value is \fIauto\fR, each \s-1UID\s0 signed in caff's
own GnuPGHOME gets automatically locally signed in the user's, using the
same certification level; this requires a working \fBgpg\-agent\fR\|(1).  If
\&\fIask\fR, the user is prompted for which UIDs to locally sign.  Default:
\&\fBno\fR.
.IP "\fBshow-photos\fR [boolean]" 4
.IX Item "show-photos [boolean]"
If true, then before signing a key gpg will display the photos attached
to it, if any.  (The photo viewer can be specified with a \*(L"photo-viewer\*(R"
option in caff's GnuPGHOME.)  Default: \fB0\fR.
.SS "Mail settings"
.IX Subsection "Mail settings"
.IP "\fBmail\fR [yes|ask\-yes|ask\-no|no]" 4
.IX Item "mail [yes|ask-yes|ask-no|no]"
Whether to send mails. This is a quad-option, with which you can set the
behaviour: yes always sends, no never sends; ask-yes and ask-no asks, for
each uid, with according defaults for the question. Default: \fBask-yes\fR.
.Sp
In any case, the messages are also written to \f(CW$CONFIG\fR{'caffhome'}/keys/
.IP "\fBmail-cant-encrypt\fR [yes|ask\-yes|ask\-no|no]" 4
.IX Item "mail-cant-encrypt [yes|ask-yes|ask-no|no]"
The value of this option is considered instead of that of \fBmail\fR for
recipient keys without encryption capability.  Default to the value of
\&\fBmail\fR.
.IP "\fBmail-subject\fR [string]" 4
.IX Item "mail-subject [string]"
Sets the value of the \*(L"Subject:\*(R" header field.  \f(CW%k\fR will be expanded
to the long key \s-1ID\s0 of the signed key.
Default: \f(CW\*(C`Your signed PGP key 0x%k\*(C'\fR.
.IP "\fBmail-template\fR [string]" 4
.IX Item "mail-template [string]"
Email template which is used as the body text for the email sent out
instead of the default text if specified. The following perl variables
can be used in the template:
.RS 4
.IP "\fB{owner}\fR [string]" 4
.IX Item "{owner} [string]"
Your name as specified in the \fBowner\fR setting.
.IP "\fB{key}\fR [string]" 4
.IX Item "{key} [string]"
The keyid of the key you signed.
.IP "\fB{@uids}\fR [array]" 4
.IX Item "{@uids} [array]"
The UIDs for which signatures are included in the mail.
.RE
.RS 4
.Sp
Note that you should probably customize the template if you intend to
send non-exportable signatures (i.e., if \fBgpg-sign-type\fR contains \*(L"l\*(R"),
as uploading such signatures doesn't make sense, and they require the
import option \*(L"import-local-sigs\*(R" which isn't set by default.
.RE
.IP "\fBreply-to\fR [string]" 4
.IX Item "reply-to [string]"
Add a Reply-To: header to messages sent. Default: none.
.IP "\fBbcc\fR [string]" 4
.IX Item "bcc [string]"
Address to send blind carbon copies to when sending mail.
Default: none.
.IP "\fBmailer-send\fR [array]" 4
.IX Item "mailer-send [array]"
Parameters to pass to Mail::Mailer.  Default: none.
Setting this option is strongly discouraged: fix your local \s-1MTA\s0 instead.
.Sp
This could for example be
.Sp
.Vb 1
\&        $CONFIG{\*(Aqmailer\-send\*(Aq} =  [ \*(Aqsmtp\*(Aq, Server => \*(Aqmail.server\*(Aq, Auth => [\*(Aquser\*(Aq, \*(Aqpass\*(Aq] ];
.Ve
.Sp
to use the perl \s-1SMTP\s0 client, or
.Sp
.Vb 1
\&        $CONFIG{\*(Aqmailer\-send\*(Aq} =  [ \*(Aqsendmail\*(Aq, \*(Aq\-f\*(Aq, $CONFIG{\*(Aqemail\*(Aq}, \*(Aq\-it\*(Aq ];
.Ve
.Sp
to pass arguments to the sendmail program.  To specify a sendmail binary
you can set the \f(CW\*(C`PERL_MAILERS\*(C'\fR environment variable as follows:
.Sp
.Vb 1
\&    $ENV{\*(AqPERL_MAILERS\*(Aq} = \*(Aqsendmail:/path/to/sendmail_compatible_mta\*(Aq;
.Ve
.Sp
For more information see \fBMail::Mailer\fR\|(3pm).
.SH "NOTES"
.IX Header "NOTES"
As noted above caff uses its own GnuPGHOME and GnuPG configuration file.
In fact it only needs its own keyring for the signing work, but it would
be unsafe to reuse the same GnuPG configuration file because the user
could have set an option in \f(CW$HOME\fR/.gnupg/gpg.conf which would break caff.
.PP
Therefore the GnuPG options that are intended to be used with caff, such
as \f(CW\*(C`keyserver\*(C'\fR or \f(CW\*(C`cert\-digest\-algo\*(C'\fR, need to be placed in
\&\f(CW$HOME\fR/.caff/gnupghome/gpg.conf instead.  If this file does not exist,
the GnuPG options found in \f(CW$HOME\fR/.gnupg/gpg.conf that are known to be
safe (and useful) for caff, are passed to \fBgpg\fR\|(1) as command-line
options.
.SH "AUTHORS"
.IX Header "AUTHORS"
.IP "Peter Palfrader <peter@palfrader.org>" 4
.IX Item "Peter Palfrader <peter@palfrader.org>"
.PD 0
.IP "Christoph Berg <cb@df7cb.de>" 4
.IX Item "Christoph Berg <cb@df7cb.de>"
.IP "Guilhem Moulin <guilhem@debian.org>" 4
.IX Item "Guilhem Moulin <guilhem@debian.org>"
.PD
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgpg\fR\|(1), \fBpgp\-clean\fR\|(1), /usr/share/doc/signing\-party/caff/