CAFF(1)               User Contributed Perl Documentation              CAFF(1)


NAME
       caff -- CA - Fire and Forget

SYNOPSIS
       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..]
       </path/to/ksp-annotated.txt

DESCRIPTION
       CA Fire and Forget is a script that helps you in keysigning.  It takes
       a list of keyids on the command line, fetches them from a keyserver and
       calls GnuPG so that you can sign it.  It then mails each key to all its
       email addresses - only including the one UID that we send to in each
       mail, pruned from all but self sigs and sigs done by you.  The mailed
       key is encrypted with itself as a means to verify that key belongs to
       the recipient.

       The list of keys to sign can also be provided through caff's standard
       input, as gpgparticipants(1) formatted content.  Only keys for which
       both the "Fingerprint OK" and "ID OK" boxes are ticked (i.e., marked
       with an "x") are considered for signing.  Furthermore, the input header
       must include at least one checksum line, and all checksum boxes must be
       marked as verified (with an "x").

OPTIONS
       -e, --export-old
           Export old signatures. Default is to ask the user for each old
           signature.

       -E, --no-export-old
           Do not export old signatures. Default is to ask the user for each
           old signature.

       -m, --mail yes|ask-yes|ask-no|no
           Whether to send mail after signing. Default is to ask, for each
           uid, with a default value of yes.

       -R, --no-download
           Do not retrieve the key to be signed from a keyserver.

       -S, --no-sign
           Do not sign the keys.

       -u yourkeyid, --local-user yourkeyid
           Select the key that is used for signing, in case you have more than
           one key.  To sign with multiple keys at once, separate multiple
           keyids by comma. This option requires the key(s) to be defined
           through the keyid variable in the configuration file.

       --key-file file
           Import keys from file. Can be supplied more than once.

       --keys-from-gnupg
           Try to import keys from your standard GnuPG keyrings.

       --debug
           Enable debug messages.

ENVIRONMENT
       HOME
           The default home directory.

       GNUPGBIN
           The gpg binary.  Default: "gpg".

       GNUPGHOME
           The default working directory for gpg.  Default: "$HOME/.gnupg".

FILES
       $HOME/.caffrc  -  configuration file
       $HOME/.caff/keys/yyyy-mm-dd/  -  processed keys
       $HOME/.caff/gnupghome/  -  caff's working directory for gpg
       $HOME/.caff/gnupghome/gpg.conf  -  gpg configuration (see NOTES below)
           useful options include use-agent, keyserver, keyserver-options,
           default-cert-level, etc.

CONFIGURATION FILE OPTIONS
       The configuration file is a perl script that sets values in the hash
       %CONFIG.  The file is generated when it does not exist.

       Example:

               $CONFIG{'owner'} = q{Peter Palfrader};
               $CONFIG{'email'} = q{peter@palfrader.org};
               $CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];

   Required basic settings
       owner [string]
           Your name.  REQUIRED.

       email [string]
           Your email address, used in From: lines.  REQUIRED.

       keyid [list of keyids]
           A list of your keys.  This is used to determine which signatures to
           keep in the pruning step.  If you select a key using -u it has to
           be in this list.  REQUIRED.

   General settings
       caffhome [string]
           Base directory for the files caff stores.  Default: $HOME/.caff/.

       colors [hash]
           How to color output messages.  See the "Term::ANSIColor"
           documentation for the list of supported colors; colored output can
           be disabled by setting this option to an empty hash {}.  Default:

                   { error => 'bold bright_red'
                   , warn => 'bright_red'
                   , notice => 'bold'
                   , info => ''
                   , success => 'green' # used in combination with 'notice' and 'info'
                   , fail => 'yellow'   # used in combination with 'notice' and 'info'
                   }

   GnuPG settings
       gpg [string]
           Path to the GnuPG binary.  Default: The value of the GNUPGBIN
           environment variable if set, otherwise "gpg".

       secret-keyring [string]
           Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOME of
           the agent managing the secret key material (GnuPG >= 2.1).
           Default: $HOME/.gnupg/secring.gpg.  If the value is not a directory
           with GnuPG >= 2.1, the parent directory (i.e., $HOME/.gnupg by
           default) is considered instead.

       also-encrypt-to [keyid, or list of keyids]
           Additional keyids to encrypt messages to. Default: none.

       gpg-sign-type [string]
           The prefix to the "sign" command used to make the signature from
           gpg's shell.  Can be set to a mix of "l" (local), "nr" (non-
           revocable) or "t" (trust) to make a signature of the given type.
           See gpg(1) for details.  Default: "" (i.e., make a regular,
           exportable, signature).

       gpg-sign-args [string]
           Additional commands to pass to gpg after the "sign" command.
           Default: none.

   Key import settings
       no-download [boolean]
           If true, then skip the step of fetching keys from the keyserver.
           Default: 0.

       key-files [list of files]
           A list of files containing keys to be imported.

   Signing settings
       no-sign [boolean]
           If true, then skip the signing step. Default: 0.

       ask-sign [boolean]
           If true, then pause before continuing to the signing step.  This is
           useful for offline signing. Default: 0.

       export-sig-age [seconds]
           Don't export UIDs by default, on which your latest signature is
           older than this age.  Default: 24*60*60 (i.e. one day).

       local-user [keyid, or list of keyids]
           Select the key that is used for signing, in case you have more than
           one key.  With multiple keyids, sign with each key in turn.

       also-lsign-in-gnupghome [auto|ask|no]
           Whether to locally sign the UIDs in the user's GnuPGHOME, in
           addition to caff's signatures in its own GnuPGHOME.  Such
           signatures are not exportable.  This can be useful when the
           recipient forgets to upload the signatures caff sent (or if they
           are non-exportable as well), as it gives a way to keep track of
           which UIDs were verified.  However, note that local signatures will
           not be deleted once the recipient does the upload and the signer
           refreshes her keyring.

           If the value is not no and if gpg-sign-type contains "l", each
           (local) signature is merely exported from caff's own GnuPGHOME to
           the user's.  Otherwise, if the value is auto, each UID signed in
           caff's own GnuPGHOME gets automatically locally signed in the
           user's, using the same certification level; this requires a working
           gpg-agent(1).  If ask, the user is prompted for which UIDs to
           locally sign.  Default: no.

       show-photos [boolean]
           If true, then before signing a key gpg will display the photos
           attached to it, if any.  (The photo viewer can be specified with a
           "photo-viewer" option in caff's GnuPGHOME.)  Default: 0.

   Mail settings
       mail [yes|ask-yes|ask-no|no]
           Whether to send mails. This is a quad-option, with which you can
           set the behaviour: yes always sends, no never sends; ask-yes and
           ask-no asks, for each uid, with according defaults for the
           question. Default: ask-yes.

           In any case, the messages are also written to
           $CONFIG{'caffhome'}/keys/

       mail-cant-encrypt [yes|ask-yes|ask-no|no]
           The value of this option is considered instead of that of mail for
           recipient keys without encryption capability.  Default to the value
           of mail.

       mail-subject [string]
           Sets the value of the "Subject:" header field.  %k will be expanded
           to the long key ID of the signed key.  Default: "Your signed PGP
           key 0x%k".

       mail-template [string]
           Email template which is used as the body text for the email sent
           out instead of the default text if specified. The following perl
           variables can be used in the template:

           {owner} [string]
               Your name as specified in the owner setting.

           {key} [string]
               The keyid of the key you signed.

           {@uids} [array]
               The UIDs for which signatures are included in the mail.

           Note that you should probably customize the template if you intend
           to send non-exportable signatures (i.e., if gpg-sign-type contains
           "l"), as uploading such signatures doesn't make sense, and they
           require the import option "import-local-sigs" which isn't set by
           default.

       reply-to [string]
           Add a Reply-To: header to messages sent. Default: none.

       bcc [string]
           Address to send blind carbon copies to when sending mail.  Default:
           none.

       mailer-send [array]
           Parameters to pass to Mail::Mailer.  Default: none.  Setting this
           option is strongly discouraged: fix your local MTA instead.

           This could for example be

                   $CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];

           to use the perl SMTP client, or

                   $CONFIG{'mailer-send'} =  [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];

           to pass arguments to the sendmail program.  To specify a sendmail
           binary you can set the "PERL_MAILERS" environment variable as
           follows:

               $ENV{'PERL_MAILERS'} = 'sendmail:/path/to/sendmail_compatible_mta';

           For more information see Mail::Mailer(3pm).

NOTES
       As noted above caff uses its own GnuPGHOME and GnuPG configuration
       file.  In fact it only needs its own keyring for the signing work, but
       it would be unsafe to reuse the same GnuPG configuration file because
       the user could have set an option in $HOME/.gnupg/gpg.conf which would
       break caff.

       Therefore the GnuPG options that are intended to be used with caff,
       such as "keyserver" or "cert-digest-algo", need to be placed in
       $HOME/.caff/gnupghome/gpg.conf instead.  If this file does not exist,
       the GnuPG options found in $HOME/.gnupg/gpg.conf that are known to be
       safe (and useful) for caff, are passed to gpg(1) as command-line
       options.

AUTHORS
       Peter Palfrader <peter@palfrader.org>
       Christoph Berg <cb@df7cb.de>
       Guilhem Moulin <guilhem@debian.org>

SEE ALSO
       gpg(1), pgp-clean(1), /usr/share/doc/signing-party/caff/

perl v5.32.0                      2020-09-27                           CAFF(1)