caff is a synonym for "CA - fire and forget". It's a Perl script that helps you to automate the whole bunch of manual steps you have to do for every single key you want to sign after a key signing party. caff is part of the package signing-party. caff will mostly be used after a keysigning party.


sudo apt-get install signing-party


caff usually requires a properly configured MTA (mail transfer agent).

This usually means the command "mail -s "test_email"" should work. On a workstation, a properly configured MTA would required for instance postfix installed with the SMTP server of your ISP configured as a relayhost, and optionally outgoing email address rewrites so you don't send email as user@mylocalworkstation.

However, if you don't bother setup MTA or don't want to change config of MTA for some reason, such as on a roaming client (laptop, ...), msmtp can be an excellent alternative to a full-feature MTA. One more option is the usage of nullmailer.

Preparation for first use

After the installation you have to setup your local caff environment, this has to be done in $HOME/.caff/ and especially in $HOME/.caffrc. Right after the installation there is nothing there, you can create the file .caffrc by simple calling caff on the commandline.

$ caff
No configfile /home/[User]/.caffrc present, I will use this template:
[INFO] Error: No keys were found using "gpg --list-public-keys 'Username'".
[INFO] Error: No email address was found using "gpg --list-public-keys 'Username'".
# .caffrc -- vim:ft=perl:
# This file is in perl(1) format - see caff(1) for details.

$CONFIG{'owner'} = 'Username';
#$CONFIG{'email'} = '[user]@[domain]';
#$CONFIG{'reply-to'} = '';

# You can get your long keyid from
#   gpg --with-colons --list-key <yourkeyid|name|emailaddress..>
# If you have a v4 key, it will simply be the last 16 digits of
# your fingerprint.
# Example:
#   $CONFIG{'keyid'} = [ qw{FEDCBA9876543210} ];
#  or, if you have more than one key:
#   $CONFIG{'keyid'} = [ qw{0123456789ABCDEF 89ABCDEF76543210} ];
#$CONFIG{'keyid'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Select this/these keys to sign with
#$CONFIG{'local-user'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Additionally encrypt messages for these keyids
#$CONFIG{'also-encrypt-to'} = [ qw{0123456789abcdef 89abcdef76543210} ];

# Mail template to use for the encrypted part
#$CONFIG{'mail-template'} = << 'EOM';
#please find attached the user id{(scalar @uids >= 2 ? 's' : '')}
#{foreach $uid (@uids) {
#    $OUT .= "\t".$uid."\n";
#};}of your key {$key} signed by me.
#If you have multiple user ids, I sent the signature for each user id
#separately to that user id's associated email address. You can import
#the signatures by running each through `gpg --import`.
#Note that I did not upload your key to any keyservers. If you want this
#new signature to be available to others, please upload it yourself.
#With GnuPG this can be done using
#       gpg --keyserver --send-key {$key}
#If you have any questions, don't hesitate to ask.

Please edit /home/[User]/.caffrc and run caff again.

caff has now created a new $HOME/.caffrc and you have to change some of the variables inside to your needs. There is at least a minimum to setup.

# change the name
$CONFIG{'owner'} = 'Bill Gates';
# change the email address
$CONFIG{'email'} = '';
# your keyid
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF} ];

If you have more than one key in use you have to add them all to $CONFIG{'keyid'}

# in case you have more than one keyid
#                       <----keyid1----> <----keyid2----> (... and so on)
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF ABCDEF1234567890} ];

You can get your keyids by using the command gpg --with-colons --list-key <yourkeyid|name|emailaddress..> as suggested by the output off the first caff call.

gpg --with-colons --list-key
pub:u:4096:1:1234567890ABCDEF:2013-08-08:::u:Bill Gates <>::scESC:
             |< your  keyid >|

The template for the outgoing mail doesn't needed to be changed normally, but if you want to change you can this also in the caffrc. If you don't have set up a local MTA yet then you have to set the variable $CONFIG{'mailer-send'} so caff can send the signing mail. Take a look into the manpage of caff to see how this has to be done.

It's also recommended to use stronger digest for signature. (527944) So add the following lines to ~/.caff/gnupghome/gpg.conf if not already done by a recent version:

personal-digest-preferences SHA512
cert-digest-algo SHA512

(Duplicating options between caff's and the normal GnuPGHOME is no longer necessary since signing-party 2.3: if ~/.caff/gnupghome/gpg.conf does not exist, gpg options that are known to be safe for caff, including cert-digest-algo, are taken from ~/.gnupg/gpg.conf.)


The usage of caff to send signed mails is quite simple. You have to call caff [options] with one or more KeyID and caff will proceed your keys.

$ caff 01234567ABCDEFAB
$ # or more then one key
$ caff 11223344FFEEDDCC AABBCCDD99887766

There are some questions that will pop-up. Please read carefully and answer them. In the end you will reach the prompt of gpg if you don't use the option -m yes. There you have to type save to save the signatures. Finally caff will send the signature mail if answer that last question with y.

gpg> save
[INFO] 11AE38DA1D42BF58 1 Max Example <max.example AT example DOT com> done.
[INFO] key BBB07FB2543E6CDDAD258F70B28DE9FDA9342BF08 done.
Mail signature for Max Example <max.example AT example DOT com> to 'max.example AT example DOT com'? [Y/n] y

That's it. Please visit the manpage for caff to read about the options you can use.


To get a good overview of all your signs, and resigns is of course quite difficult because you have to go to all the output of the gpg command output. To get a easier overview you can use the tool sig2dot that will draw your key and all the other involved keys in a coloured map. You may need additional software if not all ready installed.

additional packages

sudo apt-get install graphviz xdot

To generate the map of all related keys to yours you can fire up the following 'one liner' on the command line:

$ gpg --list-sigs  | sig2dot | xdot

This will open the map automatically and you can print or save this map for example.


There are some further useful links you may want/should know.

CategoryPermalink CategorySoftware