Provided by: signing-party_2.2-1_amd64 bug


       caff -- CA - Fire and Forget


       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] keyid [keyid ..]
       caff [-eERS] [-m yes|ask-yes|ask-no|no] [-u yourkeyid] [keyid ..]


       CA Fire and Forget is a script that helps you in keysigning.  It takes a list of keyids on
       the command line, fetches them from a keyserver and calls GnuPG so that you can sign it.
       It then mails each key to all its email addresses - only including the one UID that we
       send to in each mail, pruned from all but self sigs and sigs done by you.  The mailed key
       is encrypted with itself as a means to verify that key belongs to the recipient.

       The list of keys to sign can also be provided through caff's standard input, as
       gpgparticipants(1) formatted content.  Only keys for which both the "Fingerprint OK" and
       "ID OK" boxes are ticked (i.e., marked with an "x") are considered for signing.
       Furthermore, the input header must include at least one checksum line, and all checksum
       boxes must be marked as verified (with an "x").


       -e, --export-old
           Export old signatures. Default is to ask the user for each old signature.

       -E, --no-export-old
           Do not export old signatures. Default is to ask the user for each old signature.

       -m, --mail yes|ask-yes|ask-no|no
           Whether to send mail after signing. Default is to ask, for each uid, with a default
           value of yes.

       -R, --no-download
           Do not retrieve the key to be signed from a keyserver.

       -S, --no-sign
           Do not sign the keys.

       -u yourkeyid, --local-user yourkeyid
           Select the key that is used for signing, in case you have more than one key.  To sign
           with multiple keys at once, separate multiple keyids by comma. This option requires
           the key(s) to be defined through the keyid variable in the configuration file.

       --key-file file
           Import keys from file. Can be supplied more than once.

           Try to import keys from your standard GnuPG keyrings.

           Enable debug messages.


           The default home directory.

           The gpg binary.  Default: "gpg".

           The default working directory for gpg.  Default: "$HOME/.gnupg".


       $HOME/.caffrc  -  configuration file
       $HOME/.caff/keys/yyyy-mm-dd/  -  processed keys
       $HOME/.caff/gnupghome/  -  caff's working directory for gpg
       $HOME/.caff/gnupghome/gpg.conf  -  gpg configuration
           useful options include use-agent, keyserver-options, default-cert-level, etc.


       The configuration file is a perl script that sets values in the hash %CONFIG.  The file is
       generated when it does not exist.


               $CONFIG{'owner'} = q{Peter Palfrader};
               $CONFIG{'email'} = q{};
               $CONFIG{'keyid'} = [ qw{DE7AAF6E94C09C7F 62AF4031C82E0039} ];

   Required basic settings
       owner [string]
           Your name.  REQUIRED.

       email [string]
           Your email address, used in From: lines.  REQUIRED.

       keyid [list of keyids]
           A list of your keys.  This is used to determine which signatures to keep in the
           pruning step.  If you select a key using -u it has to be in this list.  REQUIRED.

   General settings
       caffhome [string]
           Base directory for the files caff stores.  Default: $HOME/.caff/.

       colors [hash]
           How to color output messages.  See the "Term::ANSIColor" documentation for the list of
           supported colors; colored output can be disabled by setting this option to an empty
           hash {}.  Default:

                   { error => 'bold bright_red'
                   , warn => 'bright_red'
                   , notice => 'bold'
                   , info => ''
                   , success => 'green' # used in combination with 'notice' and 'info'
                   , fail => 'yellow'   # used in combination with 'notice' and 'info'

   GnuPG settings
       gpg [string]
           Path to the GnuPG binary.  Default: The value of the GNUPGBIN environment variable if
           set, otherwise "gpg".

       secret-keyring [string]
           Path to your secret keyring (GnuPG < 2.1), or to the GnuPGHOME of the agent managing
           the secret key material (GnuPG >= 2.1).  Default: $HOME/.gnupg/secring.gpg.  If the
           value is not a directory with GnuPG >= 2.1, the parent directory (i.e., $HOME/.gnupg
           by default) is considered instead.

       also-encrypt-to [keyid, or list of keyids]
           Additional keyids to encrypt messages to. Default: none.

       gpg-sign-type [string]
           The prefix to the "sign" command used to make the signature from gpg's shell.  Can be
           set to a mix of "l" (local), "nr" (non-revocable) or "t" (trust) to make a signature
           of the given type.  See gpg(1) for details.  Default: "" (i.e., make a regular,
           exportable, signature).

       gpg-sign-args [string]
           Additional commands to pass to gpg after the "sign" command.  Default: none.

   Keyserver settings
       keyserver [string]
           Keyserver to download keys from, passed to gpg(1) as argument to the "--keyserver"
           option.  (Optional keyserver configuration options may be provided after the keyserver
           name.)  Default: the keyserver and keyserver-options defined in ~/.gnupg/gpg.conf if
           found, otherwise

       no-download [boolean]
           If true, then skip the step of fetching keys from the keyserver.  Default: 0.

       key-files [list of files]
           A list of files containing keys to be imported.

   Signing settings
       no-sign [boolean]
           If true, then skip the signing step. Default: 0.

       ask-sign [boolean]
           If true, then pause before continuing to the signing step.  This is useful for offline
           signing. Default: 0.

       export-sig-age [seconds]
           Don't export UIDs by default, on which your latest signature is older than this age.
           Default: 24*60*60 (i.e. one day).

       local-user [keyid, or list of keyids]
           Select the key that is used for signing, in case you have more than one key.  With
           multiple keyids, sign with each key in turn.

       also-lsign-in-gnupghome [auto|ask|no]
           Whether to locally sign the UIDs in the user's GnuPGHOME, in addition to caff's
           signatures in its own GnuPGHOME.  Such signatures are not exportable.  This can be
           useful when the recipient forgets to upload the signatures caff sent (or if they non-
           exportable as well), as it gives a way to keep track of which UIDs were verified.
           However, note that local signatures will not be deleted once the recipient does the
           upload and the signer refreshes her keyring.

           If the value is not no and if gpg-sign-type contains "l", each (local) signature is
           merely exported from caff's own GnuPGHOME to the user's.  Otherwise, if the value is
           auto, each UID signed in caff's own GnuPGHOME gets automatically locally signed in the
           user's, using the same certification level; this requires a working gpg-agent(1).  If
           ask, the user is prompted for which UIDs to locally sign.  Default: no.

       show-photos [boolean]
           If true, then before signing a key gpg will display the photos attached to it, if any.
           (The photo viewer can be specified with a "photo-viewer" option in caff's GnuPGHOME.)
           Default: 0.

   Mail settings
       mail [yes|ask-yes|ask-no|no]
           Whether to send mails. This is a quad-option, with which you can set the behaviour:
           yes always sends, no never sends; ask-yes and ask-no asks, for each uid, with
           according defaults for the question. Default: ask-yes.

           In any case, the messages are also written to $CONFIG{'caffhome'}/keys/

       mail-cant-encrypt [yes|ask-yes|ask-no|no]
           The value of this option is considered instead of that of mail for recipient keys
           without encryption capability.  Default to the value of mail.

       mail-subject [string]
           Sets the value of the "Subject:" header field.  %k will be expanded to the long key ID
           of the signed key.  Default: "Your signed PGP key 0x%k".

       mail-template [string]
           Email template which is used as the body text for the email sent out instead of the
           default text if specified. The following perl variables can be used in the template:

           {owner} [string]
               Your name as specified in the owner setting.

           {key} [string]
               The keyid of the key you signed.

           {@uids} [array]
               The UIDs for which signatures are included in the mail.

           Note that you should probably customize the template if you intend to send non-
           exportable signatures (i.e., if gpg-sign-type contains "l"), as uploading such
           signatures doesn't make sense, and they require the import option "import-local-sigs"
           which isn't set by default.

       reply-to [string]
           Add a Reply-To: header to messages sent. Default: none.

       bcc [string]
           Address to send blind carbon copies to when sending mail.  Default: none.

       mailer-send [array]
           Parameters to pass to Mail::Mailer.  This could for example be

                   $CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];

           to use the perl SMTP client or

                   $CONFIG{'mailer-send'} =  [ 'sendmail', '-f', $CONFIG{'email'}, '-it' ];

           to pass arguments to the sendmail program.  For more information run "perldoc
           Mail::Mailer".  Setting this option is strongly discouraged.  Fix your local MTA
           instead.  Default: none.


       Peter Palfrader <>
       Christoph Berg <>
       Guilhem Moulin <>



       gpg(1), pgp-clean(1), /usr/share/doc/signing-party/caff/