Join Us
Contact Us

PGP keysigning

Our Open Source Journey Artistic Rendering for BayLibre

If you’re wondering “I participated in a PGP keysigning event, what am I supposed to do now?”, this blog post is for you.

When you come home after (e.g.) Embedded Recipes 2026 and participated in the keysigning event you should have a list of other participants with their verified names and certificate fingerprints.

A useful tool to do the actual signing is caff. If you’re using Debian, Fedora or Arch, it’s contained in the signing-party package; if it’s not packaged for your distro maybe the easiest option is to resort to distrobox.

caff helps you to verify the email addresses of the UIDs you chose to sign by mailing your signature on that UID to the indicated email address. This way you make sure that only someone who controls the email account is able to get their hands on your signature.

Once caff is set up correctly, you can just do:

caff --key-file ksp-er2026.pgp < ksp-er2026-annotated.txt

where ksp-er2026.pgp is a keyring containing all the participants’ certificates and ksp-er2026-annotated.txt is the list of participants edited to have an x in all the checkboxes you crossed during the event. caff will guide you through the actual signing and send out each signature as described above. So if you signed both UIDs of a certificate with two different email addresses it will send out two emails with each containing one signature only.

For the participants that gave you a paper slip with their fingerprint and name, just use:

caff --keys-from-gnupg 0123456789abcdef

(where 0123456789abcdef is their cert ID) assuming that their certificate was already imported into your GnuPG keyring. (Alternatively use --key-file ... again.) Don’t forget to double-check the fingerprint in this case.

The catch is that setting caff up correctly is non-trivial because in the default configuration caff assumes it can just hand mail to your local MTA, which isn’t true on most machines today. On its first invocation caff creates a default configuration in ~/.caffrc that you likely have to modify.

If you have set up msmtp, a workable solution is to set

$CONFIG{'mailer-send'} = [ 'msmtp', '--account=youraccount' ];

in your .caffrc. For plain SMTP the following should work:

$CONFIG{'mailer-send'} =  [ 'smtp', Server => 'mail.server', Auth => ['user', 'pass'] ];

. (Note you’d have your password in a clear text file then though.)