How to setup and use caff for signing GPG keys
caff is a Perl script that helps to automate signing of GPG keys after a signing party.
$ dnf install pgp-tools
I had a lot of trouble getting perl to work on MacOS Mojave but this is what finally worked: First make sure that you have Xcode Command Line Tools installed. Then:
brew install perl
brew link perl
brew install cpanminus
sudo installer -pkg /Library/Developer/CommandLineTools/Packages/macOS_SDK_headers_for_macOS_10.14.pkg -target /
cpanm Net::IDN::Encode.pm
cpanm GnuPG::Interface --force
The last two commands installs modules required bu caff. The official home of caff seems to be https://salsa.debian.org/signing-party-team/signing-party. If you're only intersted in caff itself you can do:
curl https://salsa.debian.org/signing-party-team/signing-party/raw/master/caff/caff > ~/bin/caff
chmod +x ~/caff
caff requires a properly configured MTA. In this example we will use msmtp. We also assume you are forwarding to your gmail account. To do that you need to login to gmail and add an application password (used below).
The configuration for msmtp is located in ~/.msmtprc. An example configuration looks like this:
defaults
port 587
tls on
# On Fedora:
# tls_trust_file /etc/pki/tls/cert.pem
# On MacOS
tls_trust_file /usr/local/MacGPG2/share/ca-certs.crt
account gmail
host smtp.gmail.com
from your_account@gmail.com
auth on
user your_account
passwordeval gpg --no-tty -q -d ~/.msmtp-gmail.gpg
account default: gmail
You then create ~/.mailrc:
set sendmail="/usr/local/bin/msmtp"
# /usr/bin/msmtp on Fedora
Now you need to create the ~/.msmtp-gmail.gpg which holds your gmail app password:
pgp2 --encrypt -o ~/.msmtp-gmail.gpg -r your_account@gmail.com -
Then type your password, type enter and finally Control-D.
mail sombody@somewhere -s Test < /dev/null
# .caffrc -- vim:ft=perl:
# This file is in perl(1) format - see caff(1) for details.
$CONFIG{'gpg'} = '/usr/bin/gpg2';
$CONFIG{'owner'} = 'Lars Delhage';
$CONFIG{'email'} = 'lasse@nohup.se';
$CONFIG{'gpg-sign-args'} = 'save';
#$CONFIG{'reply-to'} = 'foo@bla.org';
$ENV{'PERL_MAILERS'} = 'sendmail:/usr/local/bin/msmtp';
# You can get your long keyid from
# gpg --keyid-format long --list-key <yourkeyid|name|emailaddress..>
#
# If you have a v4 key, it will simply be the last 16 digits of
# your fingerprint.
#
# Example:
# $CONFIG{'keyid'} = [ qw{FEDCBA9876543210} ];
# or, if you have more than one key:
# $CONFIG{'keyid'} = [ qw{0123456789ABCDEF 89ABCDEF76543210} ];
$CONFIG{'keyid'} = [ qw{E47DD536A6C33F91 B77BB16B569492FE} ];
# Select this/these keys to sign with
$CONFIG{'local-user'} = [ qw{E47DD536A6C33F91 B77BB16B569492FE} ];
# Additionally encrypt messages for these keyids
#$CONFIG{'also-encrypt-to'} = [ qw{D63DD4C4CAE87837 B77BB16B569492FE D63DD4C4CAE87837} ];
# Mail template to use for the encrypted part
$CONFIG{'mail-template'} = << 'EOM';
Hi,
please find attached the user id{(scalar @uids >= 2 ? 's' : '')}
{foreach $uid (@uids) {
$OUT .= "\t".$uid."\n";
};}of your key {$key} signed by me.
If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. You can import
the signatures by running each through `gpg --import`.
Note that I did not upload your key to any keyservers. If you want this
new signature to be available to others, please upload it yourself.
With GnuPG this can be done using
gpg --keyserver hkp://pool.sks-keyservers.net --send-key {$key}
If you have any questions, don't hesitate to ask.
Regards,
--
{$owner}
EOM
You can now use caff to sign keys. The simplest usage is to specify the keys you want to sign:
$ caff <Key ID 1> <Key ID 2> <...>
Some signing parties, like the on at FOSDEM, publish a file with all participants keys and UIDs. You use this file to check weather you've verified the identity of the people at the signing party. For each key there are two checkboxes, e.g:
072 [ ] Fingerprint OK [ ] ID OK
pub rsa3744 2018-08-16 [SC]
A02F 55E4 4104 5583 2A7B D63D E47D D536 A6C3 3F91
uid Lars Delhage <lasse@nohup.se>
uid Lars Delhage <delhage@gmail.com>
uid Lars Delhage (KTH) <ldelhage@kth.se>
uid Lars Delhage (KTH) <larsd@hallf.kth.se>
uid Lars Delhage <delhage@fedoraproject.org>
uid Lars Delhage (Red Hat) <ldelhage@redhat.com>
uid Lars Delhage (ATG) <lars.delhage@konsult.atg.se>
At the top of the file there are two more checkboxes that you use to indicate that you have verified the RIPEMD160 and SH256 checksums for the file itself:
RIPEMD160 Checksum: __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ __ [ ]
SHA256 Checksum: __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __
__ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ [ ]
Now comes the handy part: if you edit this file and add x in all checkboxes that you have verified ([x] instead of [ ]). including the checksum boxes, you can then feed this file to caff:
$ caff < ksp-fosdem2019.txt
and it will go through the file, download all the keys you have verified and then sign and mail them to the recipients.
I had a different setup with High Sierra regarding
tls_trust_file. It didin't work so I came across this guide who said one could configuretls_fingerprintand then it worked. Would like to include that in the guide