After attending the keysigning party at FOSDEM 2010, I came home with a large list of PGP/GnuPG keys I needed to sign. At the conference, there was a brief mention of using caff to make this task easier and soon enough, the first emails sent using caff came rolling in. Problem was… I had no experience whatsoever using caff, and the documentation was rather brief. I did manage to figure it all out though.
For this small guide/list of tips, I am assuming you have gpg working and are familiar with your mail settings.
First problem was not that hard to figure out: caff is not called caff in most packagemanagers. So, as I use Gentoo, I typed
emerge -av signing-party
and was on my way.
Caff stores it’s configuration in a user specific file called ~/.caffrc which can just be kept default to be honest. All you need to do is enter your full name, your email address, your keyid (see the config itself for instructions) and optionally customize the message to be sent. The real trick comes when editing some customizations for gpg.
For example, I wanted to define a default signing level. As you may or may not know, PGP keysigning can be fine-tuned by defining your level of confidence in establishing the key owner’s identity. All in all, as there was some checking of ID’s and confirming those, but doing this outside and using only one ID of variable quality, I felt level 2 would be the most appropriate (I’ll write a personal key signing policy in the near future). After some searching around I discovered that it was indeed not the right place to set this in caffrc, as the gpg-sign-args option was not meant to be used like that. To set this default I would normally have to add this preference to ~/.gnupg/gpg.conf, however, caff uses it’s own gnupg homedir, so nano -w ~/.caff/gnupghome/gpg.conf and add the following:
default-cert-level 2
(and any other customizations you feel that are needed, such as “charset utf-8″, and did you switch to SHA256 already btw?)
You may, however, use gpg-sign-args to avoid having to manually save the changes after signing each key, if you like. Insert the following in ~/.caffrc:
$CONFIG{'gpg-sign-args'} = 'save';
After this, the signing of specific keys with caff should work just fine. But there’s still the issue of being able to actually send out those keys by email to the owner. For that purpose we can use the very basic sSMTP, which is most likely already present on your system. If not, and when using Gentoo Linux:
emerge -av ssmtp
sSMTP comes with two config-files, which both need to be edited to work with my provider’s TLS enabled mailserver (just like Google’s Gmail for that matter). I’ll provide you with both the files (stripped of comments) the way I have them functioning properly:
/etc/ssmtp/ssmtp.conf
root=postmaster
mailhub=mail.provider.tld:587
AuthUser=username
AuthPass=password
rewriteDomain=
hostname=email@domain.tld
FromLineOverride=YES
UseSTARTTLS=YES
/etc/ssmtp/revaliases
root:email@domain.tld:mail.provider.tld:587
defaultuser:email@domain.tld:mail.provider.tld:587
Finally, this enabled me to send out the signed keys using caff. The current version of caff does add an invalid Sender header consisting of username@hostname unfortunately, though this has reportedly been solved recently. I solved it myself by inserting the Sender line which was added in the patch mentioned above. Feel free to propose other enhancements in the comments.
Update, 16 February 2010: I now have a personal keysigning policy! For automatically adding the policy URL to signatures, I use the following option in gpg.conf:
set-policy-url http://url/to/policy
Tags: caff, encryption, FOSDEM, Gentoo Linux, Gmail, GnuPG, gpg, keysigning, PGP, SHA256, signing-party, sSMTP, TLS
