caff is a synonym for "CA - fire and forget". It's a Perl script that helps you to automate the whole bunch of manual steps you have to do for every single key you want to sign after a key signing party. caff is part of the package signing-party. caff will mostly be used after a keysigning party.


sudo apt-get install signing-party


caff requires a properly configured MTA ( mail transfert agent) This usually means the command "mail -s "test_email" should work. On a workstation, a properly configure MTA would required for instance posfix installed with the SMTP server of your ISP configured as a relayhost , and optionally outgoing email adress rewrites so you don't send email as user@mylocalworkstation

Preparation for first use

After the installation you have to setup your local caff environment, this has to be done in $HOME/.caff/ and especially in $HOME/.caffrc. Right after the installation there is nothing there, you can create the file .caffrc by simple calling caff on the commandline.

$ caff
No configfile /home/[User]/.caffrc present, I will use this template:
[INFO] Error: No keys were found using "gpg --list-public-keys 'Username'".
[INFO] Error: No email address was found using "gpg --list-public-keys 'Username'".
# .caffrc -- vim:ft=perl:
# This file is in perl(1) format - see caff(1) for details.

$CONFIG{'owner'} = 'Username';
#$CONFIG{'email'} = '[user]@[domain]';
#$CONFIG{'reply-to'} = '';

# You can get your long keyid from
#   gpg --with-colons --list-key <yourkeyid|name|emailaddress..>
# If you have a v4 key, it will simply be the last 16 digits of
# your fingerprint.
# Example:
#   $CONFIG{'keyid'} = [ qw{FEDCBA9876543210} ];
#  or, if you have more than one key:
#   $CONFIG{'keyid'} = [ qw{0123456789ABCDEF 89ABCDEF76543210} ];
#$CONFIG{'keyid'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Select this/these keys to sign with
#$CONFIG{'local-user'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Additionally encrypt messages for these keyids
#$CONFIG{'also-encrypt-to'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Mail template to use for the encrypted part
#$CONFIG{'mail-template'} = << 'EOM';
#please find attached the user id{(scalar @uids >= 2 ? 's' : '')}
#{foreach $uid (@uids) {
#    $OUT .= "\t".$uid."\n";
#};}of your key {$key} signed by me.
#If you have multiple user ids, I sent the signature for each user id
#separately to that user id's associated email address. You can import
#the signatures by running each through `gpg --import`.
#Note that I did not upload your key to any keyservers. If you want this
#new signature to be available to others, please upload it yourself.
#With GnuPG this can be done using
#       gpg --keyserver --send-key {$key}
#If you have any questions, don't hesitate to ask.

Please edit /home/[User]/.caffrc and run caff again.

caff has now created a new $HOME/.caffrc and you have to change some of the variables inside to your needs. There is at least a minimum to setup.

# change the name
$CONFIG{'owner'} = 'Bill Gates';
# change the email address
$CONFIG{'email'} = '';
# your keyid
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF} ];

If you have more than one key in use you have to add them all to $CONFIG{'keyid'}

# in case you have more than one keyid
#                       <----keyid1----> <----keyid2----> (... and so on)
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF ABCDEF1234567890} ];

You can get your keyids by using the command gpg --with-colons --list-key <yourkeyid|name|emailaddress..> as suggested by the output off the first caff call.

gpg --with-colons --list-key
pub:u:4096:1:1234567890ABCDEF:2013-08-08:::u:Bill Gates <>::scESC:
             |< your  keyid >|

The template for the outgoing mail doesn't needed to be changed normaly, but if you want to change you can this also in the caffrc. If you don't have set up a local MTA yet then you have to set the variable $CONFIG{'mailer-send'} so caff can send the signing mail. Take a look into the manpage of caff to see how this has to be done.

It's also recommended to use stronger digest for signature. ( So add the following lines to ~/.caff/gnupghome/gpg.conf:

personal-digest-preferences SHA512
cert-digest-algo SHA512

(Duplicating options between caff's and the normal GnuPGHOME is no longer necessary since signing-party 2.3: if ~/.caff/gnupghome/gpg.conf does not exist, gpg options that are known to be safe for caff, including cert-digest-algo, are taken from ~/.gnupg/gpg.conf.)


The usage of caff to send signed mails is quite simple. You have to call caff [options] with one or more KeyID and caff will proceed your keys.

$ caff 01234567ABCDEFAB
$ # or more then one key
$ caff 11223344FFEEDDCC AABBCCDD99887766

There are some questions that will popup. Please read carefully and answer them. In the end you will reach the prompt of gpg if you don't use the option -m yes. There you have to type save to save the signatures. Finally caff will send the signature mail if answer that last question with y.

gpg> save
[INFO] 11AE38DA1D42BF58 1 Max Example <max.example AT example DOT com> done.
[INFO] key BBB07FB2543E6CDDAD258F70B28DE9FDA9342BF08 done.
Mail signature for Max Example <max.example AT example DOT com> to 'max.example AT example DOT com'? [Y/n] y

That's it. Please visit the manpage for caff to read about the options you can use.


To get a good overview of all your signs, and resigns is of course quite difficult because you have to go to all the output of the gpg command output. To get a easier overview you can use the tool sig2dot that will draw your key and all the other involved keys in a colored map. You may need additional software if not all ready installed.

additional packages

sudo apt-get install graphviz xdot

To generate the map of all related keys to yours you can fire up the following 'one liner' on the command line:

$ gpg --list-sigs  | sig2dot | xdot

This will open the map automatically and you can print or save this map for example.


There are some further usefull links you may want/should know.