1CAFF(1) User Contributed Perl Documentation CAFF(1)
2
3
4
6 caff -- CA - Fire and Forget
7
9 caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
10 caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..]
11 </path/to/ksp-annotated.txt
12
14 CA Fire and Forget is a script that helps you in keysigning. It takes
15 a list of keyids on the command line, fetches them from a keyserver and
16 calls GnuPG so that you can sign it. It then mails each key to all its
17 email addresses - only including the one UID that we send to in each
18 mail, pruned from all but self sigs and sigs done by you. The mailed
19 key is encrypted with itself as a means to verify that key belongs to
20 the recipient.
21
22 The list of keys to sign can also be provided through caff's standard
23 input, as gpgparticipants(1) formatted content. Only keys for which
24 both the "Fingerprint OK" and "ID OK" boxes are ticked (i.e., marked
25 with an "x") are considered for signing. Furthermore, the input header
26 must include at least one checksum line, and all checksum boxes must be
27 marked as verified (with an "x").
28
30 -e, --export-old
31 Export old signatures. Default is to ask the user for each old
32 signature.
33
34 -E, --no-export-old
35 Do not export old signatures. Default is to ask the user for each
36 old signature.
37
38 -m, --mail yes|ask-yes|ask-no|no
39 Whether to send mail after signing. Default is to ask, for each
40 uid, with a default value of yes.
41
42 -R, --no-download
43 Do not retrieve the key to be signed from a keyserver.
44
45 -S, --no-sign
46 Do not sign the keys.
47
48 -u yourkeyid, --local-user yourkeyid
49 Select the key that is used for signing, in case you have more than
50 one key. To sign with multiple keys at once, separate multiple
51 keyids by comma. This option requires the key(s) to be defined
52 through the keyid variable in the configuration file.
53
54 --key-file file
55 Import keys from file. Can be supplied more than once.
56
57 --keys-from-gnupg
58 Try to import keys from your standard GnuPG keyrings.
59
60 --debug
61 Enable debug messages.
62
64 HOME
65 The default home directory.
66
67 GNUPGBIN
68 The gpg binary. Default: "gpg".
69
70 GNUPGHOME
71 The default working directory for gpg. Default: "$HOME/.gnupg".
72
74 $HOME/.caffrc - configuration file
75 $HOME/.caff/keys/yyyy-mm-dd/ - processed keys
76 $HOME/.caff/gnupghome/ - caff's working directory for gpg
77 $HOME/.caff/gnupghome/gpg.conf - gpg configuration (see NOTES below)
78 useful options include use-agent, keyserver, keyserver-options,
79 default-cert-level, etc.
80
82 The configuration file is a perl script that sets values in the hash
83 %CONFIG. The file is generated when it does not exist.
84
85 Example:
86
87 $CONFIG{'owner'} = q{Peter Palfrader};
88 $CONFIG{'email'} = q{peter@palfrader.org};
89 $CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];
90
91 Required basic settings
92 owner [string]
93 Your name. REQUIRED.
94
95 email [string]
96 Your email address, used in From: lines. REQUIRED.
97
98 keyid [list of keyids]
99 A list of your keys. This is used to determine which signatures to
100 keep in the pruning step. If you select a key using -u it has to
101 be in this list. REQUIRED.
102
103 General settings
104 caffhome [string]
105 Base directory for the files caff stores. Default: $HOME/.caff/.
106
107 colors [hash]
108 How to color output messages. See the "Term::ANSIColor"
109 documentation for the list of supported colors; colored output can
110 be disabled by setting this option to an empty hash {}. Default:
111
112 { error => 'bold bright_red'
113 , warn => 'bright_red'
114 , notice => 'bold'
115 , info => ''
116 , success => 'green' # used in combination with 'notice' and 'info'
117 , fail => 'yellow' # used in combination with 'notice' and 'info'
118 }
119
120 GnuPG settings
121 gpg [string]
122 Path to the GnuPG binary. Default: The value of the GNUPGBIN
123 environment variable if set, otherwise "gpg".
124
125 secret-keyring [string]
126 Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOME of
127 the agent managing the secret key material (GnuPG >= 2.1).
128 Default: $HOME/.gnupg/secring.gpg. If the value is not a directory
129 with GnuPG >= 2.1, the parent directory (i.e., $HOME/.gnupg by
130 default) is considered instead.
131
132 also-encrypt-to [keyid, or list of keyids]
133 Additional keyids to encrypt messages to. Default: none.
134
135 gpg-sign-type [string]
136 The prefix to the "sign" command used to make the signature from
137 gpg's shell. Can be set to a mix of "l" (local), "nr" (non-
138 revocable) or "t" (trust) to make a signature of the given type.
139 See gpg(1) for details. Default: "" (i.e., make a regular,
140 exportable, signature).
141
142 gpg-sign-args [string]
143 Additional commands to pass to gpg after the "sign" command.
144 Default: none.
145
146 Key import settings
147 no-download [boolean]
148 If true, then skip the step of fetching keys from the keyserver.
149 Default: 0.
150
151 key-files [list of files]
152 A list of files containing keys to be imported.
153
154 Signing settings
155 no-sign [boolean]
156 If true, then skip the signing step. Default: 0.
157
158 ask-sign [boolean]
159 If true, then pause before continuing to the signing step. This is
160 useful for offline signing. Default: 0.
161
162 export-sig-age [seconds]
163 Don't export UIDs by default, on which your latest signature is
164 older than this age. Default: 24*60*60 (i.e. one day).
165
166 local-user [keyid, or list of keyids]
167 Select the key that is used for signing, in case you have more than
168 one key. With multiple keyids, sign with each key in turn.
169
170 also-lsign-in-gnupghome [auto|ask|no]
171 Whether to locally sign the UIDs in the user's GnuPGHOME, in
172 addition to caff's signatures in its own GnuPGHOME. Such
173 signatures are not exportable. This can be useful when the
174 recipient forgets to upload the signatures caff sent (or if they
175 are non-exportable as well), as it gives a way to keep track of
176 which UIDs were verified. However, note that local signatures will
177 not be deleted once the recipient does the upload and the signer
178 refreshes her keyring.
179
180 If the value is not no and if gpg-sign-type contains "l", each
181 (local) signature is merely exported from caff's own GnuPGHOME to
182 the user's. Otherwise, if the value is auto, each UID signed in
183 caff's own GnuPGHOME gets automatically locally signed in the
184 user's, using the same certification level; this requires a working
185 gpg-agent(1). If ask, the user is prompted for which UIDs to
186 locally sign. Default: no.
187
188 show-photos [boolean]
189 If true, then before signing a key gpg will display the photos
190 attached to it, if any. (The photo viewer can be specified with a
191 "photo-viewer" option in caff's GnuPGHOME.) Default: 0.
192
193 Mail settings
194 mail [yes|ask-yes|ask-no|no]
195 Whether to send mails. This is a quad-option, with which you can
196 set the behaviour: yes always sends, no never sends; ask-yes and
197 ask-no asks, for each uid, with according defaults for the
198 question. Default: ask-yes.
199
200 In any case, the messages are also written to
201 $CONFIG{'caffhome'}/keys/
202
203 mail-cant-encrypt [yes|ask-yes|ask-no|no]
204 The value of this option is considered instead of that of mail for
205 recipient keys without encryption capability. Default to the value
206 of mail.
207
208 mail-subject [string]
209 Sets the value of the "Subject:" header field. %k will be expanded
210 to the long key ID of the signed key. Default: "Your signed PGP
211 key 0x%k".
212
213 mail-template [string]
214 Email template which is used as the body text for the email sent
215 out instead of the default text if specified. The following perl
216 variables can be used in the template:
217
218 {owner} [string]
219 Your name as specified in the owner setting.
220
221 {key} [string]
222 The keyid of the key you signed.
223
224 {@uids} [array]
225 The UIDs for which signatures are included in the mail.
226
227 Note that you should probably customize the template if you intend
228 to send non-exportable signatures (i.e., if gpg-sign-type contains
229 "l"), as uploading such signatures doesn't make sense, and they
230 require the import option "import-local-sigs" which isn't set by
231 default.
232
233 reply-to [string]
234 Add a Reply-To: header to messages sent. Default: none.
235
236 bcc [string]
237 Address to send blind carbon copies to when sending mail. Default:
238 none.
239
240 mailer-send [array]
241 Parameters to pass to Mail::Mailer. Default: none. Setting this
242 option is strongly discouraged: fix your local MTA instead.
243
244 This could for example be
245
246 $CONFIG{'mailer-send'} = [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];
247
248 to use the perl SMTP client, or
249
250 $CONFIG{'mailer-send'} = [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];
251
252 to pass arguments to the sendmail program. To specify a sendmail
253 binary you can set the "PERL_MAILERS" environment variable as
254 follows:
255
256 $ENV{'PERL_MAILERS'} = 'sendmail:/path/to/sendmail_compatible_mta';
257
258 For more information see Mail::Mailer(3pm).
259
261 As noted above caff uses its own GnuPGHOME and GnuPG configuration
262 file. In fact it only needs its own keyring for the signing work, but
263 it would be unsafe to reuse the same GnuPG configuration file because
264 the user could have set an option in $HOME/.gnupg/gpg.conf which would
265 break caff.
266
267 Therefore the GnuPG options that are intended to be used with caff,
268 such as "keyserver" or "cert-digest-algo", need to be placed in
269 $HOME/.caff/gnupghome/gpg.conf instead. If this file does not exist,
270 the GnuPG options found in $HOME/.gnupg/gpg.conf that are known to be
271 safe (and useful) for caff, are passed to gpg(1) as command-line
272 options.
273
275 Peter Palfrader <peter@palfrader.org>
276 Christoph Berg <cb@df7cb.de>
277 Guilhem Moulin <guilhem@debian.org>
278
280 gpg(1), pgp-clean(1), /usr/share/doc/signing-party/caff/
281
282
283
284perl v5.38.0 2023-07-21 CAFF(1)