Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
CAFF(1)		      User Contributed Perl Documentation	       CAFF(1)

       caff -- CA - Fire and Forget

       caff [-eERS] [-m	yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
       caff [-eERS] [-m	yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..]

       CA Fire and Forget is a script that helps you in	keysigning.  It	takes
       a list of keyids	on the command line, fetches them from a keyserver and
       calls GnuPG so that you can sign	it.  It	then mails each	key to all its
       email addresses - only including	the one	UID that we send to in each
       mail, pruned from all but self sigs and sigs done by you.  The mailed
       key is encrypted	with itself as a means to verify that key belongs to
       the recipient.

       The list	of keys	to sign	can also be provided through caff's standard
       input, as gpgparticipants(1) formatted content.	Only keys for which
       both the	"Fingerprint OK" and "ID OK" boxes are ticked (i.e., marked
       with an "x") are	considered for signing.	 Furthermore, the input	header
       must include at least one checksum line,	and all	checksum boxes must be
       marked as verified (with	an "x").

       -e, --export-old
	   Export old signatures. Default is to	ask the	user for each old

       -E, --no-export-old
	   Do not export old signatures. Default is to ask the user for	each
	   old signature.

       -m, --mail yes|ask-yes|ask-no|no
	   Whether to send mail	after signing. Default is to ask, for each
	   uid,	with a default value of	yes.

       -R, --no-download
	   Do not retrieve the key to be signed	from a keyserver.

       -S, --no-sign
	   Do not sign the keys.

       -u yourkeyid, --local-user yourkeyid
	   Select the key that is used for signing, in case you	have more than
	   one key.  To	sign with multiple keys	at once, separate multiple
	   keyids by comma. This option	requires the key(s) to be defined
	   through the keyid variable in the configuration file.

       --key-file file
	   Import keys from file. Can be supplied more than once.

	   Try to import keys from your	standard GnuPG keyrings.

	   Enable debug	messages.

	   The default home directory.

	   The gpg binary.  Default: "gpg".

	   The default working directory for gpg.  Default: "$HOME/.gnupg".

       $HOME/.caffrc  -	 configuration file
       $HOME/.caff/keys/yyyy-mm-dd/  -	processed keys
       $HOME/.caff/gnupghome/  -  caff's working directory for gpg
       $HOME/.caff/gnupghome/gpg.conf  -  gpg configuration (see NOTES below)
	   useful options include use-agent, keyserver,	keyserver-options,
	   default-cert-level, etc.

       The configuration file is a perl	script that sets values	in the hash
       %CONFIG.	 The file is generated when it does not	exist.


	       $CONFIG{'owner'}	= q{Peter Palfrader};
	       $CONFIG{'email'}	= q{};
	       $CONFIG{'keyid'}	= [ qw{DE7AAF6E94C09C7F	62AF4031C82E0039} ];

   Required basic settings
       owner [string]
	   Your	name.  REQUIRED.

       email [string]
	   Your	email address, used in From: lines.  REQUIRED.

       keyid [list of keyids]
	   A list of your keys.	 This is used to determine which signatures to
	   keep	in the pruning step.  If you select a key using	-u it has to
	   be in this list.  REQUIRED.

   General settings
       caffhome	[string]
	   Base	directory for the files	caff stores.  Default: $HOME/.caff/.

       colors [hash]
	   How to color	output messages.  See the "Term::ANSIColor"
	   documentation for the list of supported colors; colored output can
	   be disabled by setting this option to an empty hash {}.  Default:

		   { error => 'bold bright_red'
		   , warn => 'bright_red'
		   , notice => 'bold'
		   , info => ''
		   , success =>	'green'	# used in combination with 'notice' and	'info'
		   , fail => 'yellow'	# used in combination with 'notice' and	'info'

   GnuPG settings
       gpg [string]
	   Path	to the GnuPG binary.  Default: The value of the	GNUPGBIN
	   environment variable	if set,	otherwise "gpg".

       secret-keyring [string]
	   Path	to your	secret keyring (GnuPG <	2.1), or to the	GnuPGHOME of
	   the agent managing the secret key material (GnuPG >=	2.1).
	   Default: $HOME/.gnupg/secring.gpg.  If the value is not a directory
	   with	GnuPG >= 2.1, the parent directory (i.e., $HOME/.gnupg by
	   default) is considered instead.

       also-encrypt-to [keyid, or list of keyids]
	   Additional keyids to	encrypt	messages to. Default: none.

       gpg-sign-type [string]
	   The prefix to the "sign" command used to make the signature from
	   gpg's shell.	 Can be	set to a mix of	"l" (local), "nr" (non-
	   revocable) or "t" (trust) to	make a signature of the	given type.
	   See gpg(1) for details.  Default: ""	(i.e., make a regular,
	   exportable, signature).

       gpg-sign-args [string]
	   Additional commands to pass to gpg after the	"sign" command.
	   Default: none.

   Key import settings
       no-download [boolean]
	   If true, then skip the step of fetching keys	from the keyserver.
	   Default: 0.

       key-files [list of files]
	   A list of files containing keys to be imported.

   Signing settings
       no-sign [boolean]
	   If true, then skip the signing step.	Default: 0.

       ask-sign	[boolean]
	   If true, then pause before continuing to the	signing	step.  This is
	   useful for offline signing. Default:	0.

       export-sig-age [seconds]
	   Don't export	UIDs by	default, on which your latest signature	is
	   older than this age.	 Default: 24*60*60 (i.e. one day).

       local-user [keyid, or list of keyids]
	   Select the key that is used for signing, in case you	have more than
	   one key.  With multiple keyids, sign	with each key in turn.

       also-lsign-in-gnupghome [auto|ask|no]
	   Whether to locally sign the UIDs in the user's GnuPGHOME, in
	   addition to caff's signatures in its	own GnuPGHOME.	Such
	   signatures are not exportable.  This	can be useful when the
	   recipient forgets to	upload the signatures caff sent	(or if they
	   are non-exportable as well),	as it gives a way to keep track	of
	   which UIDs were verified.  However, note that local signatures will
	   not be deleted once the recipient does the upload and the signer
	   refreshes her keyring.

	   If the value	is not no and if gpg-sign-type contains	"l", each
	   (local) signature is	merely exported	from caff's own	GnuPGHOME to
	   the user's.	Otherwise, if the value	is auto, each UID signed in
	   caff's own GnuPGHOME	gets automatically locally signed in the
	   user's, using the same certification	level; this requires a working
	   gpg-agent(1).  If ask, the user is prompted for which UIDs to
	   locally sign.  Default: no.

       show-photos [boolean]
	   If true, then before	signing	a key gpg will display the photos
	   attached to it, if any.  (The photo viewer can be specified with a
	   "photo-viewer" option in caff's GnuPGHOME.)	Default: 0.

   Mail	settings
       mail [yes|ask-yes|ask-no|no]
	   Whether to send mails. This is a quad-option, with which you	can
	   set the behaviour: yes always sends,	no never sends;	ask-yes	and
	   ask-no asks,	for each uid, with according defaults for the
	   question. Default: ask-yes.

	   In any case,	the messages are also written to

       mail-cant-encrypt [yes|ask-yes|ask-no|no]
	   The value of	this option is considered instead of that of mail for
	   recipient keys without encryption capability.  Default to the value
	   of mail.

       mail-subject [string]
	   Sets	the value of the "Subject:" header field.  %k will be expanded
	   to the long key ID of the signed key.  Default: "Your signed	PGP
	   key 0x%k".

       mail-template [string]
	   Email template which	is used	as the body text for the email sent
	   out instead of the default text if specified. The following perl
	   variables can be used in the	template:

	   {owner} [string]
	       Your name as specified in the owner setting.

	   {key} [string]
	       The keyid of the	key you	signed.

	   {@uids} [array]
	       The UIDs	for which signatures are included in the mail.

	   Note	that you should	probably customize the template	if you intend
	   to send non-exportable signatures (i.e., if gpg-sign-type contains
	   "l"), as uploading such signatures doesn't make sense, and they
	   require the import option "import-local-sigs" which isn't set by

       reply-to	[string]
	   Add a Reply-To: header to messages sent. Default: none.

       bcc [string]
	   Address to send blind carbon	copies to when sending mail.  Default:

       mailer-send [array]
	   Parameters to pass to Mail::Mailer.	Default: none.	Setting	this
	   option is strongly discouraged: fix your local MTA instead.

	   This	could for example be

		   $CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server',	Auth =>	['user', 'pass'] ];

	   to use the perl SMTP	client,	or

		   $CONFIG{'mailer-send'} =  [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];

	   to pass arguments to	the sendmail program.  To specify a sendmail
	   binary you can set the "PERL_MAILERS" environment variable as

	       $ENV{'PERL_MAILERS'} = 'sendmail:/path/to/sendmail_compatible_mta';

	   For more information	see Mail::Mailer(3pm).

       As noted	above caff uses	its own	GnuPGHOME and GnuPG configuration
       file.  In fact it only needs its	own keyring for	the signing work, but
       it would	be unsafe to reuse the same GnuPG configuration	file because
       the user	could have set an option in $HOME/.gnupg/gpg.conf which	would
       break caff.

       Therefore the GnuPG options that	are intended to	be used	with caff,
       such as "keyserver" or "cert-digest-algo", need to be placed in
       $HOME/.caff/gnupghome/gpg.conf instead.	If this	file does not exist,
       the GnuPG options found in $HOME/.gnupg/gpg.conf	that are known to be
       safe (and useful) for caff, are passed to gpg(1)	as command-line

       Peter Palfrader <>
       Christoph Berg <>
       Guilhem Moulin <>

       gpg(1), pgp-clean(1), /usr/share/doc/signing-party/caff/

perl v5.32.1			  2022-09-05			       CAFF(1)


Want to link to this manual page? Use this URL:

home | help