MAN page from openSUSE Tumbleweed signing-party-2.7-3.olh.2.x86_64.rpm


Section: User Contributed Perl Documentation (1)
Updated: 2019-02-11


caff -- CA - Fire and Forget 


caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..] </path/to/ksp-annotated.txt


CA Fire and Forget is a script that helps you in keysigning. It takes a listof keyids on the command line, fetches them from a keyserver and calls GnuPG sothat you can sign it. It then mails each key to all its email addresses - onlyincluding the one UID that we send to in each mail, pruned from all but selfsigs and sigs done by you. The mailed key is encrypted with itself as a meansto verify that key belongs to the recipient.

The list of keys to sign can also be provided through caff's standardinput, as gpgparticipants(1) formatted content. Only keys for whichboth the ``Fingerprint OK'' and ``ID OK'' boxes are ticked (i.e., markedwith an ``x'') are considered for signing. Furthermore, the input headermust include at least one checksum line, and all checksum boxes must bemarked as verified (with an ``x''). 


-e, --export-old
Export old signatures. Default is to ask the user for each old signature.
-E, --no-export-old
Do not export old signatures. Default is to ask the user for each oldsignature.
-m, --mail yes|ask-yes|ask-no|no
Whether to send mail after signing. Default is to ask, for each uid,with a default value of yes.
-R, --no-download
Do not retrieve the key to be signed from a keyserver.
-S, --no-sign
Do not sign the keys.
-u yourkeyid, --local-user yourkeyid
Select the key that is used for signing, in case you have more than one key.To sign with multiple keys at once, separate multiple keyids by comma. Thisoption requires the key(s) to be defined through the keyid variable in theconfiguration file.
--key-file file
Import keys from file. Can be supplied more than once.
Try to import keys from your standard GnuPG keyrings.
Enable debug messages.


The default home directory.
The gpg binary. Default: "gpg".
The default working directory for gpg. Default: "$HOME/.gnupg".


$HOME/.caffrc - configuration file
$HOME/.caff/keys/yyyy-mm-dd/ - processed keys
$HOME/.caff/gnupghome/ - caff's working directory for gpg
$HOME/.caff/gnupghome/gpg.conf - gpg configuration (see NOTES below)
useful options include use-agent, keyserver, keyserver-options, default-cert-level, etc.


The configuration file is a perl script that sets values in the hash %CONFIG.The file is generated when it does not exist.


        $CONFIG{'owner'} = q{Peter Palfrader};        $CONFIG{'email'} = q{};        $CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];

Required basic settings

owner [string]
Your name. REQUIRED.
email [string]
Your email address, used in From: lines. REQUIRED.
keyid [list of keyids]
A list of your keys. This is used to determine which signatures to keepin the pruning step. If you select a key using -u it has to be inthis list. REQUIRED.

General settings

caffhome [string]
Base directory for the files caff stores. Default: $HOME/.caff/.
colors [hash]
How to color output messages. See the "Term::ANSIColor" documentationfor the list of supported colors; colored output can be disabled bysetting this option to an empty hash {}. Default:

        { error => 'bold bright_red'        , warn => 'bright_red'        , notice => 'bold'        , info => ''        , success => 'green' # used in combination with 'notice' and 'info'        , fail => 'yellow'   # used in combination with 'notice' and 'info'        }

GnuPG settings

gpg [string]
Path to the GnuPG binary. Default: The value of the GNUPGBINenvironment variable if set, otherwise "gpg".
secret-keyring [string]
Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOMEof the agent managing the secret key material (GnuPG >= 2.1).Default: $HOME/.gnupg/secring.gpg.If the value is not a directory with GnuPG >= 2.1, the parent directory(i.e., $HOME/.gnupg by default) is considered instead.
also-encrypt-to [keyid, or list of keyids]
Additional keyids to encrypt messages to. Default: none.
gpg-sign-type [string]
The prefix to the ``sign'' command used to make the signature from gpg'sshell. Can be set to a mix of ``l'' (local), ``nr'' (non-revocable) or ``t''(trust) to make a signature of the given type. See gpg(1) fordetails. Default: "" (i.e., make a regular, exportable, signature).
gpg-sign-args [string]
Additional commands to pass to gpg after the ``sign'' command.Default: none.

Key import settings

no-download [boolean]
If true, then skip the step of fetching keys from the keyserver.Default: 0.
key-files [list of files]
A list of files containing keys to be imported.

Signing settings

no-sign [boolean]
If true, then skip the signing step. Default: 0.
ask-sign [boolean]
If true, then pause before continuing to the signing step.This is useful for offline signing. Default: 0.
export-sig-age [seconds]
Don't export UIDs by default, on which your latest signature is olderthan this age. Default: 24*60*60 (i.e. one day).
local-user [keyid, or list of keyids]
Select the key that is used for signing, in case you have more than one key.With multiple keyids, sign with each key in turn.
also-lsign-in-gnupghome [auto|ask|no]
Whether to locally sign the UIDs in the user's GnuPGHOME, in addition tocaff's signatures in its own GnuPGHOME. Such signatures are notexportable. This can be useful when the recipient forgets to upload thesignatures caff sent (or if they are non-exportable as well), as itgives a way to keep track of which UIDs were verified. However, notethat local signatures will not be deleted once the recipient does theupload and the signer refreshes her keyring.

If the value is not no and if gpg-sign-type contains ``l'', each(local) signature is merely exported from caff's own GnuPGHOME to theuser's. Otherwise, if the value is auto, each UID signed in caff'sown GnuPGHOME gets automatically locally signed in the user's, using thesame certification level; this requires a working gpg-agent(1). Ifask, the user is prompted for which UIDs to locally sign. Default:no.

show-photos [boolean]
If true, then before signing a key gpg will display the photos attachedto it, if any. (The photo viewer can be specified with a ``photo-viewer''option in caff's GnuPGHOME.) Default: 0.

Mail settings

mail [yes|ask-yes|ask-no|no]
Whether to send mails. This is a quad-option, with which you can set thebehaviour: yes always sends, no never sends; ask-yes and ask-no asks, foreach uid, with according defaults for the question. Default: ask-yes.

In any case, the messages are also written to $CONFIG{'caffhome'}/keys/

mail-cant-encrypt [yes|ask-yes|ask-no|no]
The value of this option is considered instead of that of mail forrecipient keys without encryption capability. Default to the value ofmail.
mail-subject [string]
Sets the value of the ``Subject:'' header field. %k will be expandedto the long key ID of the signed key.Default: "Your signed PGP key 0x%k".
mail-template [string]
Email template which is used as the body text for the email sent outinstead of the default text if specified. The following perl variablescan be used in the template:
{owner} [string]
Your name as specified in the owner setting.
{key} [string]
The keyid of the key you signed.
{@uids} [array]
The UIDs for which signatures are included in the mail.

Note that you should probably customize the template if you intend tosend non-exportable signatures (i.e., if gpg-sign-type contains ``l''),as uploading such signatures doesn't make sense, and they require theimport option ``import-local-sigs'' which isn't set by default.

reply-to [string]
Add a Reply-To: header to messages sent. Default: none.
bcc [string]
Address to send blind carbon copies to when sending mail.Default: none.
mailer-send [array]
Parameters to pass to Mail::Mailer. Default: none.Setting this option is strongly discouraged: fix your local MTA instead.

This could for example be

        $CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];

to use the perl SMTP client, or

        $CONFIG{'mailer-send'} =  [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];

to pass arguments to the sendmail program. To specify a sendmail binaryyou can set the "PERL_MAILERS" environment variable as follows:

    $ENV{'PERL_MAILERS'} = 'sendmail:/path/to/sendmail_compatible_mta';

For more information see Mail::Mailer(3pm).



As noted above caff uses its own GnuPGHOME and GnuPG configuration file.In fact it only needs its own keyring for the signing work, but it wouldbe unsafe to reuse the same GnuPG configuration file because the usercould have set an option in $HOME/.gnupg/gpg.conf which would break caff.

Therefore the GnuPG options that are intended to be used with caff, suchas "keyserver" or "cert-digest-algo", need to be placed in$HOME/.caff/gnupghome/gpg.conf instead. If this file does not exist,the GnuPG options found in $HOME/.gnupg/gpg.conf that are known to besafe (and useful) for caff, are passed to gpg(1) as command-lineoptions. 


Peter Palfrader <>
Christoph Berg <>
Guilhem Moulin <>



gpg(1), pgp-clean(1), /usr/share/doc/packages/signing-party/



Required basic settings
General settings
GnuPG settings
Key import settings
Signing settings
Mail settings

This document was created byman2html,using the manual pages.