I’ve finally got around to doing my homework from FOSDEM and since I’m sure before long I’ll have forgotten again how all this works, let me write it down here.

1. Installing CAFF (CA – Fire and Forget)


sudo aptitude install signing-party

2. Configuring CAFF

For this we open up ~/.caffrc and write in something like this:

$CONFIG{'owner'} = 'Siegfried Gevatter';
$CONFIG{'email'} = 'name@example.com';
$CONFIG{'keyid'} = [ qw{1CFC22F3363DEAE3} ];
$CONFIG{'gpg-sign-args'} = 'save';

The last line avoids the default behavior of dropping you into an interactive gpg session for each key, and just signs all IDs automatically after asked for confirmation. I’ve also set the trust level to 2 (“I have checked this key casually.“) by creating a ~/.caff/gnupghome/gpg.conf file with:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-cert-level 2

To further streamline the process, I’ve defined an alias in my ~./.bashrc so that CAFF won’t ask for confirmation for every single e-mail it sends:

alias caff="caff -m yes"

3. Installing and configuring sSMTP

Now so that CAFF can send out the mails, we need a mail agent. If you don’t have one already, you’ll need to install one and configure it to work with your e-mail setup (in my case, Gmail). I decided to go with sSMTP, but you can use any other MTA of your choice.

I followed those instructions to configure it:  Send Mail with Gmail and sSMTP. Additionally, I changed the permissions of the /etc/ssmtp/ssmtp.conf file to 640 (-rw-r—–) and the owner to root.rainct (where rainct is my username) so that the plain-text password in it is protected.

4. Using CAFF

That’s it. Well, at least for the setup part, now the real work begins, verifying and signing all the keys. In my case I had them printed out on paper and just typed “caff <id1> <id2> <…>” (eg. “caff 363DEAE3“). CAFF then downloads the keys, asks for confirmation for each of them so you can double-check, and finally e-mails the signatures to everyone.

By the way, in case you accidentally sign the wrong key (eg. one you had on your list but whose owner you didn’t met), you can still revoke your signature (see this “Help revoking a signature” mailing list post).