From HerzbubeWiki
Jump to: navigation, search


This page contains information about keysigning parties (KSPs) and how to efficiently handle the work involved prior and after a KSP.


Documents relevant for PGP keysigning parties:

Keysigning parties that I attended:

My own PGP Key Signing Policy:


Debian package

caff and other utilities that help with managing a keysigning party are part of the Debian package


caff =

caff needs to be run once so that it generates the config file:


This file then needs to be edited before the utility is used for real for the first time

$CONFIG{'owner'} = 'Patrick Näf Moser';
$CONFIG{'email'} = '';
$CONFIG{'keyid'} = [ qw{1319CD4F3FF38573} ];
$CONFIG{'mail-template'} = << 'EOM';

This is caff, the automated PGP keysigning tool, running on behalf of
{$owner} ({$email}). Please find attached the user ID{(scalar @uids >= 2 ? 's' : '')}
        gpg --keyserver --send-key {$key}

caff uses its own keyring in


The keyring can be examined with the --homedir option, e.g.

gpg --homedir ~/.caff/gnupghome --list-keys

The following options must be placed into ~/.caff/gnupghome/gpg.conf, esp. the latter two options are important as they influence how keysigning works:

charset utf-8
keyserver hkp://

caff places signed key that it has processed into:



To make sure that caff is allowed to send email from the command line, the following file needs to be modified:


The following line needs to be added:


The reason for this change is that if a recipient MTA performs callout verification, aka sender address verification, the sending email address "" must be known to the MTA exim, otherwise it will reject the callout as a bogus bounce.

Before the KSP



During the KSP


After the KSP

Using caff to automate signing


caff --key-file ksp-zrh2k9.asc AAE6022E


  • Signs the public key AAE6022E
  • Instead of downloading the key from a keyserver, the content of the specified file is imported into caff's keyring. Note: All keys in the file are imported, not just the one to be signed.
  • Unless signatures are generated manually, all signatures are level 3
  • UIDs that have no email can be attached to all emails sent to other UIDs. It is not possible to attach only to a single email - either all or none!
  • caff asks for each signatures whether an email should be sent. The signature is created even if no email is sent.

Alternative uses of caff:

  • Sign a public key, but download it first from a keyserver. The download is attempted even if the key is already present in caff's keyring.
caff AAE6022E
  • Sign a public key without downloading it first from a keyserver
caff --no-download 4CBC0D03

Importing signatures

Usually signatures are sent as .asc email attachments. After decrypting the email (if it is encrypted, which is usually the case), the attachment can be saved and afterwards the signature can be imported with the following command (the example assumes the signature is stored in a caff-generated file name):

gpg --import 0x1319CD4F3FF38573.1.signed-by-0xC09E1D8995930EDE.asc

If several signature files are present, they can be imported in one fell swoop:

gpg --import *.asc

When all signatures have been imported, they may be listed like this:

gpg --list-sigs 3FF38573

It may also be useful to import the signers' public keys so that signatures are displayed with a meaningful user ID. Hopefully the KSP has provided an .asc file for download that contains the public keys of all participants. This file can then be imported like this:

gpg --import ksp-zrh2k9.asc

Other stuff

  • caff: CA - Fire and Forget signs and mails a key
  • pgp-clean: removes all non-self signatures from key
  • pgp-fixkey: removes broken packets from keys
  • gpg-mailkeys: simply mail out a signed key to its owner
  • gpg-key2ps: generate PostScript file with fingerprint paper strips
  • gpgdir: recursive directory encryption tool
  • gpglist: show who signed which of your UIDs
  • gpgsigs: annotates list of GnuPG keys with already done signatures
  • gpgparticipants: create list of party participants for the organiser
  • gpgwrap: a passphrase wrapper
  • keyanalyze: minimum signing distance (MSD) analysis on keyrings
  • keylookup: ncurses wrapper around gpg --search
  • sig2dot: converts a list of GnuPG signatures to a .dot file
  • springgraph: creates a graph from a .dot file