mruiz’s blog

CAFF is a script that helps you in keysigning. It takes a list of key IDs on the command line, fetches them from a keyserver or keyring and calls GnuPG to sign them. It then mails each key to all its email addresses.

CAFF it’s part of the signing-party package (various OpenPGP related tools). Also we need the gnupg-agent to store our passphrase during the signing. Lets install them in Ubuntu.

$ sudo apt-get install signing-party gnupg-agent

After that, the best idea is to configure a relay host to send the emails. I followed a really good guide based on Exim4, that just works

Also we need to configure the default behaviour of CAFF, through a configuration file (.caffrc under our home directory).  You can follow this example.

# .caffrc -- vim:ft=perl:
# This file is in perl(1) format - see caff(1) for details.

$CONFIG{'owner'} = 'Juan Perez';
$CONFIG{'email'} = 'juan@perez.com';
$CONFIG{'gpg-sign-args'} = "save";
$CONFIG{'keyserver'} = "pgp.mit.edu";
$CONFIG{'caffhome'}    = $ENV{'HOME'}.'/.caff';
# Specify the last 16 characters of your key
$CONFIG{'keyid'} = [ qw{1D4FE8D976862225} ];
$CONFIG{'also-encrypt-to'} = [ qw{1D4FE8D976862225} ];

# Mail template to use for the encrypted part
$CONFIG{'mail-template'} = << 'EOM';
Hi,

please find attached the user id{(scalar @uids >= 2 ? 's' : '')}
{foreach $uid (@uids) {
$OUT .= "\t".$uid."\n";
};}of your key {$key} signed by me.

If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. This gives you
also the chance to upload only specific signatures if you don't want
my signature on all your user ids.

You can import the signatures by running each through `gpg --import`.

Note that I did not upload your key to any keyservers. If you want this
new signature to be available to others, please upload it yourself.
With GnuPG this can be done using
gpg --keyserver subkeys.pgp.net --send-key {$key}

If you have any questions, don't hesitate to ask.

Regards,

{$owner}
EOM

Before the signing process, we have to start the gpg-agent. If you got problems launching the agent, please read the following reference .

$ eval `gpg-agent --daemon`

If your KSP host gave you a keyring, the following command must be used to sign the keys. The “m” argument specifies to send mail (using the template described previously) and the “R” prevents to retrieve keys from a keyserver. We’ll use a keyring file as input.

$ caff -mR --keyfile <keyring-file>

As always, many people listed on the keyring don’t participate in the KSP. Is this case I suggest to create a file with the attendants IDs only, such as the following.

B9270F9D
1773ED49
3114452A
1D814B8E
18DC68C4
7E633BAE

Then, we have to modify the previous command.

$ caff -mR --keyfile <keyring-file> `cat <keys-to-sign>`

If you want to sign only one key and you have its ID, don’t worry. CAFF will save the day. It can retrieve the key.

$ caff -m yes <key-ID>

Finally, the batch process starts and we have to sign the keys. Enjoy the day because CAFF will help you to finish this tasks without pain.

References: Waikato Linux User Group, CAFF man page