1CAFF(1)               User Contributed Perl Documentation              CAFF(1)
2
3
4

NAME

6       caff -- CA - Fire and Forget
7

SYNOPSIS

9       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
10       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..]
11       </path/to/ksp-annotated.txt
12

DESCRIPTION

14       CA Fire and Forget is a script that helps you in keysigning.  It takes
15       a list of keyids on the command line, fetches them from a keyserver and
16       calls GnuPG so that you can sign it.  It then mails each key to all its
17       email addresses - only including the one UID that we send to in each
18       mail, pruned from all but self sigs and sigs done by you.  The mailed
19       key is encrypted with itself as a means to verify that key belongs to
20       the recipient.
21
22       The list of keys to sign can also be provided through caff's standard
23       input, as gpgparticipants(1) formatted content.  Only keys for which
24       both the "Fingerprint OK" and "ID OK" boxes are ticked (i.e., marked
25       with an "x") are considered for signing.  Furthermore, the input header
26       must include at least one checksum line, and all checksum boxes must be
27       marked as verified (with an "x").
28

OPTIONS

30       -e, --export-old
31           Export old signatures. Default is to ask the user for each old
32           signature.
33
34       -E, --no-export-old
35           Do not export old signatures. Default is to ask the user for each
36           old signature.
37
38       -m, --mail yes|ask-yes|ask-no|no
39           Whether to send mail after signing. Default is to ask, for each
40           uid, with a default value of yes.
41
42       -R, --no-download
43           Do not retrieve the key to be signed from a keyserver.
44
45       -S, --no-sign
46           Do not sign the keys.
47
48       -u yourkeyid, --local-user yourkeyid
49           Select the key that is used for signing, in case you have more than
50           one key.  To sign with multiple keys at once, separate multiple
51           keyids by comma. This option requires the key(s) to be defined
52           through the keyid variable in the configuration file.
53
54       --key-file file
55           Import keys from file. Can be supplied more than once.
56
57       --keys-from-gnupg
58           Try to import keys from your standard GnuPG keyrings.
59
60       --debug
61           Enable debug messages.
62

ENVIRONMENT

64       HOME
65           The default home directory.
66
67       GNUPGBIN
68           The gpg binary.  Default: "gpg".
69
70       GNUPGHOME
71           The default working directory for gpg.  Default: "$HOME/.gnupg".
72

FILES

74       $HOME/.caffrc  -  configuration file
75       $HOME/.caff/keys/yyyy-mm-dd/  -  processed keys
76       $HOME/.caff/gnupghome/  -  caff's working directory for gpg
77       $HOME/.caff/gnupghome/gpg.conf  -  gpg configuration (see NOTES below)
78           useful options include use-agent, keyserver, keyserver-options,
79           default-cert-level, etc.
80

CONFIGURATION FILE OPTIONS

82       The configuration file is a perl script that sets values in the hash
83       %CONFIG.  The file is generated when it does not exist.
84
85       Example:
86
87               $CONFIG{'owner'} = q{Peter Palfrader};
88               $CONFIG{'email'} = q{peter@palfrader.org};
89               $CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];
90
91   Required basic settings
92       owner [string]
93           Your name.  REQUIRED.
94
95       email [string]
96           Your email address, used in From: lines.  REQUIRED.
97
98       keyid [list of keyids]
99           A list of your keys.  This is used to determine which signatures to
100           keep in the pruning step.  If you select a key using -u it has to
101           be in this list.  REQUIRED.
102
103   General settings
104       caffhome [string]
105           Base directory for the files caff stores.  Default: $HOME/.caff/.
106
107       colors [hash]
108           How to color output messages.  See the "Term::ANSIColor"
109           documentation for the list of supported colors; colored output can
110           be disabled by setting this option to an empty hash {}.  Default:
111
112                   { error => 'bold bright_red'
113                   , warn => 'bright_red'
114                   , notice => 'bold'
115                   , info => ''
116                   , success => 'green' # used in combination with 'notice' and 'info'
117                   , fail => 'yellow'   # used in combination with 'notice' and 'info'
118                   }
119
120   GnuPG settings
121       gpg [string]
122           Path to the GnuPG binary.  Default: The value of the GNUPGBIN
123           environment variable if set, otherwise "gpg".
124
125       secret-keyring [string]
126           Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOME of
127           the agent managing the secret key material (GnuPG >= 2.1).
128           Default: $HOME/.gnupg/secring.gpg.  If the value is not a directory
129           with GnuPG >= 2.1, the parent directory (i.e., $HOME/.gnupg by
130           default) is considered instead.
131
132       also-encrypt-to [keyid, or list of keyids]
133           Additional keyids to encrypt messages to. Default: none.
134
135       gpg-sign-type [string]
136           The prefix to the "sign" command used to make the signature from
137           gpg's shell.  Can be set to a mix of "l" (local), "nr" (non-
138           revocable) or "t" (trust) to make a signature of the given type.
139           See gpg(1) for details.  Default: "" (i.e., make a regular,
140           exportable, signature).
141
142       gpg-sign-args [string]
143           Additional commands to pass to gpg after the "sign" command.
144           Default: none.
145
146   Key import settings
147       no-download [boolean]
148           If true, then skip the step of fetching keys from the keyserver.
149           Default: 0.
150
151       key-files [list of files]
152           A list of files containing keys to be imported.
153
154   Signing settings
155       no-sign [boolean]
156           If true, then skip the signing step. Default: 0.
157
158       ask-sign [boolean]
159           If true, then pause before continuing to the signing step.  This is
160           useful for offline signing. Default: 0.
161
162       export-sig-age [seconds]
163           Don't export UIDs by default, on which your latest signature is
164           older than this age.  Default: 24*60*60 (i.e. one day).
165
166       local-user [keyid, or list of keyids]
167           Select the key that is used for signing, in case you have more than
168           one key.  With multiple keyids, sign with each key in turn.
169
170       also-lsign-in-gnupghome [auto|ask|no]
171           Whether to locally sign the UIDs in the user's GnuPGHOME, in
172           addition to caff's signatures in its own GnuPGHOME.  Such
173           signatures are not exportable.  This can be useful when the
174           recipient forgets to upload the signatures caff sent (or if they
175           are non-exportable as well), as it gives a way to keep track of
176           which UIDs were verified.  However, note that local signatures will
177           not be deleted once the recipient does the upload and the signer
178           refreshes her keyring.
179
180           If the value is not no and if gpg-sign-type contains "l", each
181           (local) signature is merely exported from caff's own GnuPGHOME to
182           the user's.  Otherwise, if the value is auto, each UID signed in
183           caff's own GnuPGHOME gets automatically locally signed in the
184           user's, using the same certification level; this requires a working
185           gpg-agent(1).  If ask, the user is prompted for which UIDs to
186           locally sign.  Default: no.
187
188       show-photos [boolean]
189           If true, then before signing a key gpg will display the photos
190           attached to it, if any.  (The photo viewer can be specified with a
191           "photo-viewer" option in caff's GnuPGHOME.)  Default: 0.
192
193   Mail settings
194       mail [yes|ask-yes|ask-no|no]
195           Whether to send mails. This is a quad-option, with which you can
196           set the behaviour: yes always sends, no never sends; ask-yes and
197           ask-no asks, for each uid, with according defaults for the
198           question. Default: ask-yes.
199
200           In any case, the messages are also written to
201           $CONFIG{'caffhome'}/keys/
202
203       mail-cant-encrypt [yes|ask-yes|ask-no|no]
204           The value of this option is considered instead of that of mail for
205           recipient keys without encryption capability.  Default to the value
206           of mail.
207
208       mail-subject [string]
209           Sets the value of the "Subject:" header field.  %k will be expanded
210           to the long key ID of the signed key.  Default: "Your signed PGP
211           key 0x%k".
212
213       mail-template [string]
214           Email template which is used as the body text for the email sent
215           out instead of the default text if specified. The following perl
216           variables can be used in the template:
217
218           {owner} [string]
219               Your name as specified in the owner setting.
220
221           {key} [string]
222               The keyid of the key you signed.
223
224           {@uids} [array]
225               The UIDs for which signatures are included in the mail.
226
227           Note that you should probably customize the template if you intend
228           to send non-exportable signatures (i.e., if gpg-sign-type contains
229           "l"), as uploading such signatures doesn't make sense, and they
230           require the import option "import-local-sigs" which isn't set by
231           default.
232
233       reply-to [string]
234           Add a Reply-To: header to messages sent. Default: none.
235
236       bcc [string]
237           Address to send blind carbon copies to when sending mail.  Default:
238           none.
239
240       mailer-send [array]
241           Parameters to pass to Mail::Mailer.  Default: none.  Setting this
242           option is strongly discouraged: fix your local MTA instead.
243
244           This could for example be
245
246                   $CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];
247
248           to use the perl SMTP client, or
249
250                   $CONFIG{'mailer-send'} =  [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];
251
252           to pass arguments to the sendmail program.  To specify a sendmail
253           binary you can set the "PERL_MAILERS" environment variable as
254           follows:
255
256               $ENV{'PERL_MAILERS'} = 'sendmail:/path/to/sendmail_compatible_mta';
257
258           For more information see Mail::Mailer(3pm).
259

NOTES

261       As noted above caff uses its own GnuPGHOME and GnuPG configuration
262       file.  In fact it only needs its own keyring for the signing work, but
263       it would be unsafe to reuse the same GnuPG configuration file because
264       the user could have set an option in $HOME/.gnupg/gpg.conf which would
265       break caff.
266
267       Therefore the GnuPG options that are intended to be used with caff,
268       such as "keyserver" or "cert-digest-algo", need to be placed in
269       $HOME/.caff/gnupghome/gpg.conf instead.  If this file does not exist,
270       the GnuPG options found in $HOME/.gnupg/gpg.conf that are known to be
271       safe (and useful) for caff, are passed to gpg(1) as command-line
272       options.
273

AUTHORS

275       Peter Palfrader <peter@palfrader.org>
276       Christoph Berg <cb@df7cb.de>
277       Guilhem Moulin <guilhem@debian.org>
278

SEE ALSO

280       gpg(1), pgp-clean(1), /usr/share/doc/signing-party/caff/
281
282
283
284perl v5.38.0                      2023-07-21                           CAFF(1)
Impressum