Using CAFF to sign GPG keys

 

Set up email

If you don't have an email transport setup (such as sendmail, postfix, etc.), exim4 provides a simple satellite-only mechanism.

  1. install exim4
    sudo apt-get install exim4
  2. Configure exim4 by following the on screen instructions
    dpkg-reconfigure exim4-config
    • Note, use setup your mail server
    • Your config file should look like this when finished
      # /etc/exim4/update-exim4.conf.conf
      #
      # Edit this file and /etc/mailname by hand and execute update-exim4.conf
      # yourself or use 'dpkg-reconfigure exim4-config'
      #
      # Please note that this is _not_ a dpkg-conffile and that automatic changes
      # to this file might happen. The code handling this will honor your local
      # changes, so this is usually fine, but will break local schemes that mess
      # around with multiple versions of the file.
      #
      # update-exim4.conf uses this file to determine variable values to generate
      # exim configuration macros for the configuration file.
      #
      # Most settings found in here do have corresponding questions in the
      # Debconf configuration, but not all of them.
      #
      # This is a Debian specific file
      
      dc_eximconfig_configtype='satellite'
      dc_other_hostnames=''
      dc_local_interfaces=''
      dc_readhost='hpe.com'
      dc_relay_domains=''
      dc_minimaldns='true'
      dc_relay_nets=''
      dc_smarthost='***.com'
      CFILEMODE='644'
      dc_use_split_config='false'
      dc_hide_mailname='true'
      dc_mailname_in_oh='true'
      dc_localdelivery='mail_spool'
  3. Add aliases to the /etc/email-address file to map username to appropriate email from address
    1. Send a test email
      mail -s <subject> <to address>

      put in a blank CC address and anybody you'd like, to send the email press Ctrl + d

Set up CAFF

  1. Install signing-party if not install so that you can use caff
  2. Configure caff by running caff once and editing the .caffrc file
    1. Set owner, email, and reply-to values
    2. Set the keyid field to your the last 4 quad words of your gpg fingerprint (use gpg –fingerprint <userid>)
    3. If desired, uncomment the lines below the # Mail template line to include instructions in your response mail
  3. Sign a key with caff
    caff <keyid>
    1. When given the gpg prompt, type save and enter
    • The last option will allow you to send the response email

Import a Key Sent with CAFF

  1. Download the *.asc file sent in the email
  2. Decrypt the message using gpg
    gpg msg.asc
    • This will create a msg file
  3. Import the signature of your key
    gpg --import msg
  4. Push you key back to the keyserver
    gpg --keyserver pool.sks-keyservers.net --send-key <your keyid>

Get Rid of the Pesky [User ID Not Found] When Listing Sigs

  1. Find any missing public keys in your keyring
    gpg --list-sigs <your keyid>
  2. Receive any missing keys from the keyserver
    gpg --keyserver pool.sks-keyservers.net --recv-keys <missing key>
    • You can provide –recv-keys a list of keys by separating them with white space