=over
-=item B<caff> [-mMR] [-u I<yourkeyid>] I<keyid> [I<keyid> ..]
+=item B<caff> [-eEmMRS] [-u I<yourkeyid>] I<keyid> [I<keyid> ..]
=back
=over
+=item B<-e>, B<--export-old>
+
+Export old signatures. Default is to ask the user for each old signature.
+
+=item B<-E>, B<--no-export-old>
+
+Do not export old signatures. Default is to ask the user for each old
+signature.
+
=item B<-m>, B<--mail>
Send mail after signing. Default is to ask the user for each uid.
Do not retrieve the key to be signed from a keyserver.
+=item B<-S>, B<--no-sign>
+
+Do not sign the keys.
+
=item B<-u> I<yourkeyid>, B<--local-user> I<yourkeyid>
Select the key that is used for signing, in case you have more than one key.
An additional keyid to encrypt messages to. Default: none.
+=item B<gpg-sign-args> [string]
+
+Additional arguments to pass to gpg. Default: none.
+
=head2 Keyserver settings
=item B<keyserver> [string]
die ("keyid is not defined.\n") unless defined $CONFIG{'keyid'};
die ("keyid is not an array ref\n") unless (ref $CONFIG{'keyid'} eq 'ARRAY');
for my $keyid (@{$CONFIG{'keyid'}}) {
- $keyid =~ /^[A-Fa-z0-9]{16}$/ or die ("key $keyid is not a long (16 digit) keyid.\n");
+ $keyid =~ /^[A-Fa-f0-9]{16}$/ or die ("key $keyid is not a long (16 digit) keyid.\n");
};
@{$CONFIG{'keyid'}} = map { uc } @{$CONFIG{'keyid'}};
$CONFIG{'export-sig-age'}= 24*60*60 unless defined $CONFIG{'export-sig-age'};
$OUT .= "\t".$uid."\n";
};} of your key {$key} signed by me.
-Note that I did not upload your key to any keyservers. If you want this
-new signature to be available to others, please upload it yourself.
-With GnuPG this can be done using
+Note that I did not upload your key to any keyservers.
+If you have multiple user ids, I sent the signature for each user id
+separately to that user id's associated email address. You can import
+the signatures by running each through `gpg --import`.
+
+If you want this new signature to be available to others, please upload
+it yourself. With GnuPG this can be done using
gpg --keyserver subkeys.pgp.net --send-key {$key}
If you have any questions, don't hesitate to ask.
return ($stdout, $stderr, $status);
};
-sub ask($$) {
- my ($question, $default) = @_;
+sub ask($$;$$) {
+ my ($question, $default, $forceyes, $forceno) = @_;
+ return $default if $forceyes and $forceno;
+ return 1 if $forceyes;
+ return 0 if $forceno;
my $answer;
while (1) {
print $question,' ',($default ? '[Y/n]' : '[y/N]'), ' ';
sub usage($$) {
my ($fd, $exitcode) = @_;
version($fd);
- print $fd "Usage: $PROGRAM_NAME [-mMR] [-u <yourkeyid>] <keyid> [<keyid> ...]\n";
+ print $fd "Usage: $PROGRAM_NAME [-eEmMRS] [-u <yourkeyid>] <keyid> [<keyid> ...]\n";
print $fd "Consult the manual page for more information.\n";
exit $exitcode;
};
'-V' => \$params->{'version'},
'-u=s' => \$params->{'local-user'},
'--local-user=s' => \$params->{'local-user'},
+ '-e' => \$params->{'export-old'},
+ '--export-old' => \$params->{'export-old'},
+ '-E' => \$params->{'no-export-old'},
+ '--no-export-old' => \$params->{'no-export-old'},
'-m' => \$params->{'mail'},
'--mail' => \$params->{'mail'},
'-M' => \$params->{'no-mail'},
'--no-mail' => \$params->{'no-mail'},
'-R' => \$params->{'no-download'},
'--no-download' => \$params->{'no-download'},
+ '-S' => \$params->{'no-sign'},
+ '--no-sign' => \$params->{'no-sign'},
)) {
usage(\*STDERR, 1);
};
if ($params->{'local-user'}) {
$USER = $params->{'local-user'};
$USER =~ s/^0x//i;
- unless ($USER =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}|[A-Z0-9]{32}|[A-Z0-9]{40})$/i) {
+ unless ($USER =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}|[A-Z0-9]{40})$/i) {
print STDERR "-u $USER is not a keyid.\n";
usage(\*STDERR, 1);
};
for my $keyid (@ARGV) {
$keyid =~ s/^0x//i;
- unless ($keyid =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}|[A-Z0-9]{32}|[A-Z0-9]{40})$/i) {
+ unless ($keyid =~ /^([A-Z0-9]{8}|[A-Z0-9]{16}||[A-Z0-9]{40})$/i) {
print STDERR "$keyid is not a keyid.\n";
usage(\*STDERR, 1);
};
$CONFIG{'no-download'} = $params->{'no-download'} if defined $params->{'no-download'};
$CONFIG{'no-mail'} = $params->{'no-mail'} if defined $params->{'no-mail'};
$CONFIG{'mail'} = $params->{'mail'} if defined $params->{'mail'};
+$CONFIG{'no-sign'} = $params->{'no-sign'} if defined $params->{'no-sign'};
#################
if ($CONFIG{'no-download'}) {
@keyids_ok = @KEYIDS;
} else {
+ info ("fetching keys, this will take a while...");
+
my $gpg = GnuPG::Interface->new();
$gpg->call( $CONFIG{'gpg'} );
$gpg->options->hash_init(
'extra_args' => '--keyserver='.$CONFIG{'keyserver'} );
$gpg->options->meta_interactive( 0 );
my ($inputfd, $stdoutfd, $stderrfd, $statusfd, $handles) = make_gpg_fds();
-
- my %local_keyids = map { $_ => 1 } @KEYIDS;
- info ("fetching keys, this will take a while...");
my $pid = $gpg->recv_keys(handles => $handles, command_args => [ @KEYIDS ]);
my ($stdout, $stderr, $status) = readwrite_gpg('', $inputfd, $stdoutfd, $stderrfd, $statusfd);
waitpid $pid, 0;
# [GNUPG:] NODATA 1
# [GNUPG:] NODATA 1
# [GNUPG:] IMPORT_OK 0 25FC1614B8F87B52FF2F99B962AF4031C82E0039
+ my %local_keyids = map { $_ => 1 } @KEYIDS;
for my $line (split /\n/, $status) {
if ($line =~ /^\[GNUPG:\] IMPORT_OK \d+ ([0-9A-F]{40})/) {
my $imported_key = $1;
- if (not exists $local_keyids{$imported_key}) {
- warn("Imported unexpected key; got: $imported_key.\n");
+ my $whole_fpr = $imported_key;
+ my $long_keyid = substr($imported_key, -16);
+ my $short_keyid = substr($imported_key, -8);
+ my $speced_key;
+ for my $spec (($whole_fpr, $long_keyid, $short_keyid)) {
+ $speced_key = $spec if $local_keyids{$spec};
+ };
+ unless ($speced_key) {
+ notice ("Imported unexpected key; got: $imported_key\n");
next;
};
- info ("Imported $imported_key");
- delete $local_keyids{$imported_key};
+ debug ("Imported $imported_key for $speced_key");
+ delete $local_keyids{$speced_key};
unshift @keyids_ok, $imported_key;
+ } elsif ($line =~ /^\[GNUPG:\] (NODATA|IMPORT_RES|IMPORTED) /) {
+ } else {
+ notice ("got unknown reply from gpg: $line");
}
};
- notice ("Import failed for: ". (join ' ', keys %local_keyids).".") if scalar %local_keyids;
+ if (scalar %local_keyids) {
+ notice ("Import failed for: ". (join ' ', keys %local_keyids).".");
+ exit 1 unless ask ("Some keys could not be imported - continue anyway?", 0);
+ }
};
+unless (@keyids_ok) {
+ notice ("No keys to sign found");
+ exit 0;
+}
+
###########
# sign keys
###########
push @command, '--secret-keyring', $CONFIG{'secret-keyring'};
push @command, '--edit', $keyid;
push @command, 'sign';
+ push @command, split ' ', $CONFIG{'gpg-sign-args'} || "";
print join(' ', @command),"\n";
system (@command);
};
if ($signed_by_me) {
if ($NOW - $signed_by_me > $CONFIG{'export-sig-age'} ) {
- my $write = ask("Signature on $this_uid_text is old. Export?", 0);
+ my $write = ask("Signature on $this_uid_text is old. Export?", 0, $params->{'export-old'}, $params->{'no-export-old'});
next unless $write;
};
my $keydir = "$KEYSBASE/$DATE_STRING";
if (!$uid->{'is_uat'} && ($uid->{'text'} =~ /@/)) {
my $address = $uid->{'text'};
$address =~ s/.*<(.*)>.*/$1/;
- if ($CONFIG{'mail'} or ask("Send mail to '$address' for $uid->{'text'}?", 1)) {
+ if (ask("Send mail to '$address' for $uid->{'text'}?", 1, $CONFIG{'mail'})) {
my $mail = send_mail($address, $can_encrypt, $longkeyid, $uid, @attached);
my $keydir = "$KEYSBASE/$DATE_STRING";