NAME¶
caff -- CA - Fire and Forget
SYNOPSIS¶
- caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u
yourkeyid] keyid [keyid ..]
- caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u
yourkeyid] [ keyid ..]
</path/to/ksp-annotated.txt
DESCRIPTION¶
CA Fire and Forget is a script that helps you in keysigning. It takes a list of
keyids on the command line, fetches them from a keyserver and calls GnuPG so
that you can sign it. It then mails each key to all its email addresses - only
including the one UID that we send to in each mail, pruned from all but self
sigs and sigs done by you. The mailed key is encrypted with itself as a means
to verify that key belongs to the recipient.
The list of keys to sign can also be provided through caff's standard input, as
gpgparticipants(1) formatted content. Only keys for which both the
"Fingerprint OK" and "ID OK" boxes are ticked (i.e.,
marked with an "x") are considered for signing. Furthermore, the
input header must include at least one checksum line, and all checksum boxes
must be marked as verified (with an "x").
OPTIONS¶
- -e, --export-old
- Export old signatures. Default is to ask the user for each old
signature.
- -E, --no-export-old
- Do not export old signatures. Default is to ask the user for each old
signature.
- -m, --mail yes|ask-yes|ask-no|no
- Whether to send mail after signing. Default is to ask, for each uid, with
a default value of yes.
- -R, --no-download
- Do not retrieve the key to be signed from a keyserver.
- -S, --no-sign
- Do not sign the keys.
- -u yourkeyid, --local-user yourkeyid
- Select the key that is used for signing, in case you have more than one
key. To sign with multiple keys at once, separate multiple keyids by
comma. This option requires the key(s) to be defined through the keyid
variable in the configuration file.
- --key-file file
- Import keys from file. Can be supplied more than once.
- --keys-from-gnupg
- Try to import keys from your standard GnuPG keyrings.
FILES¶
- $HOME/.caffrc - configuration file
- $HOME/.caff/keys/yyyy-mm-dd/ - processed keys
- $HOME/.caff/gnupghome/ - caff's working dir for gpg
- $HOME/.caff/gnupghome/gpg.conf - gpg configuration
- useful options include use-agent, keyserver-options, default-cert-level,
etc.
CONFIGURATION FILE OPTIONS¶
The configuration file is a perl script that sets values in the hash
%CONFIG . The file is generated when it does not exist.
Example:
$CONFIG{'owner'} = q{Peter Palfrader};
$CONFIG{'email'} = q{peter@palfrader.org};
$CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];
Required basic settings¶
- owner [string]
- Your name. REQUIRED.
- email [string]
- Your email address, used in From: lines. REQUIRED.
- keyid [list of keyids]
- A list of your keys. This is used to determine which signatures to keep in
the pruning step. If you select a key using -u it has to be in this
list. REQUIRED.
General settings¶
- caffhome [string]
- Base directory for the files caff stores. Default:
$HOME/.caff/.
GnuPG settings¶
- gpg [string]
- Path to the GnuPG binary. Default: gpg.
- gpg-sign [string]
- Path to the GnuPG binary which is used to sign keys. Default: what
gpg is set to.
- gpg-delsig [string]
- Path to the GnuPG binary which is used to split off signatures. This was
needed while the upstream GnuPG was not fixed. Default: what gpg is
set to.
- secret-keyring [string]
- Path to your secret keyring. Default:
$HOME/.gnupg/secring.gpg.
- also-encrypt-to [keyid, or list of keyids]
- Additional keyids to encrypt messages to. Default: none.
- gpg-sign-type [string]
- The prefix to the "sign" command used to make the signature from
gpg's shell. Can be set to a mix of "l" (local), "nr"
(non-revocable) or "t" (trust) to make a signature of the given
type. See gpg(1) for details. Default: "" (i.e., make a
regular, exportable, signature).
- gpg-sign-args [string]
- Additional commands to pass to gpg after the "sign" command.
Default: none.
Keyserver settings¶
- keyserver [string]
- Keyserver to download keys from. Default: the keyserver defined in
~/.gnupg/gpg.conf if found, otherwise pool.sks-keyservers.net.
- no-download [boolean]
- If true, then skip the step of fetching keys from the keyserver. Default:
0.
- key-files [list of files]
- A list of files containing keys to be imported.
Signing settings¶
- no-sign [boolean]
- If true, then skip the signing step. Default: 0.
- ask-sign [boolean]
- If true, then pause before continuing to the signing step. This is useful
for offline signing. Default: 0.
- export-sig-age [seconds]
- Don't export UIDs by default, on which your latest signature is older than
this age. Default: 24*60*60 (i.e. one day).
- local-user [keyid, or list of keyids]
- Select the key that is used for signing, in case you have more than one
key. With multiple keyids, sign with each key in turn.
- also-lsign-in-gnupghome [auto|ask|no]
- Whether to locally sign the UIDs in the user's GnuPGHOME, in addition to
caff's signatures in its own GnuPGHOME. Such signatures are not
exportable. This can be useful when the recipient forgets to upload the
signatures caff sent (or if they non-exportable as well), as it gives a
way to keep track of which UIDs were verified. However, note that local
signatures will not be deleted once the recipient does the upload and the
signer refreshes her keyring.
If the value is not no and if gpg-sign-type contains
"l", each (local) signature is merely exported from caff's own
GnuPGHOME to the user's. Otherwise, if the value is auto, each UID
signed in caff's own GnuPGHOME gets automatically locally signed in the
user's, using the same certification level; this requires a working
gpg-agent(1). If ask, the user is prompted for which UIDs to
locally sign. Default: no.
- show-photos [boolean]
- If true, then before signing a key gpg will display the photos attached to
it, if any. (The photo viewer can be specified with a
"photo-viewer" option in caff's GnuPGHOME.) Default:
0.
Mail settings¶
- mail [yes|ask-yes|ask-no|no]
- Whether to send mails. This is a quad-option, with which you can set the
behaviour: yes always sends, no never sends; ask-yes and ask-no asks, for
each uid, with according defaults for the question. Default:
ask-yes.
In any case, the messages are also written to $CONFIG{'caffhome'}/keys/
- mail-cant-encrypt [yes|ask-yes|ask-no|no]
- The value of this option is considered instead of that of mail for
recipient keys without encryption capability. Default to the value of
mail.
- mail-template [string]
- Email template which is used as the body text for the email sent out
instead of the default text if specified. The following perl variables can
be used in the template:
- {owner} [string]
- Your name as specified in the owner setting.
- {key} [string]
- The keyid of the key you signed.
- {@uids} [array]
- The UIDs for which signatures are included in the mail.
Note that you should probably customize the template if you intend to send
non-exportable signatures (i.e., if
gpg-sign-type contains
"l"), as uploading such signatures doesn't make sense, and they
require the import option "import-local-sigs" which isn't set by
default.
- reply-to [string]
- Add a Reply-To: header to messages sent. Default: none.
- bcc [string]
- Address to send blind carbon copies to when sending mail. Default:
none.
- mailer-send [array]
- Parameters to pass to Mail::Mailer. This could for example be
$CONFIG{'mailer-send'} = [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];
to use the perl SMTP client or
$CONFIG{'mailer-send'} = [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];
to pass arguments to the sendmail program. For more information run
"perldoc Mail::Mailer". Setting this option is strongly
discouraged. Fix your local MTA instead. Default: none.
AUTHORS¶
- Peter Palfrader <peter@palfrader.org>
- Christoph Berg <cb@df7cb.de>
- Guilhem Moulin <guilhem@guilhem.org>
WEBSITE¶
http://pgp-tools.alioth.debian.org/
SEE ALSO¶
gpg(1),
pgp-clean(1), /usr/share/doc/signing-party/caff/