]> git.sthu.org Git - pgp-tools.git/blob - caff/README.many-keys
Remove save from commands in gpg --edit for sign
[pgp-tools.git] / caff / README.many-keys
1 Using caff to sign lots of keys
2 -------------------------------
3
4 If you have loads of keys to sign (sometimes, there are keysigning parties with
5 more than 100 participants), keysigning can be arkward, even with caff. It gets
6 worse if you have multiple local keys and want to sign with all.
7
8 Some hints to get the signing done faster:
9
10 * Use fingerprints instead of key ids.
11
12 caff and gpg allow you to specify the full fingerprint. This will save you
13 from having to check the fingerprint yourself. If you have a text file with
14 all fingerprints, use that and then run
15
16 $ caff <options> `cat ksp-fingerprints.txt`
17
18 * v3 keys are evil.
19
20 V3 keys (pgp 2.6x keys) are deprecated. Not only do they rely on md5 for
21 their fingerprint and signatures, they also use the patented IDEA algorithm
22 for encryption. Also, there are several attacks that make creating new keys
23 with the same keyid trivial. Others make it possible to create different
24 keys with the same fingerprint (tho the key will not actually contain valid
25 RSA parameters).
26
27 Because of these problems a lot of people (like caff's author) refuse to sign
28 v3 keys these days.
29
30 If you still want to sign v3 keys, sign v3 separately. Batch processing does
31 not work. See README.v3-keys.
32
33 * Use multiple passes.
34
35 Going through retrieving, signing, and mailing keys can help, e.g.:
36
37 $ caff --no-sign --no-export-old --no-mail `cat ksp-fingerprints.txt`
38 $ caff --no-download --no-export-old --no-mail `cat ksp-fingerprints.txt`
39 $ caff --no-download --no-sign --no-export-old `cat ksp-fingerprints.txt`
40
41 * If you have multiple local keys, only send mail once after signing with all.
42
43 caff will send out all previously done signatures in the message. (Of course
44 you have to configure $CONFIG{'keyid'} to contain all your key ids.)
45
46 $ caff --no-export-old --no-mail -u <mykey1> <other_key>
47 $ caff --no-download --no-export-old -u <mykey2> <other_key>
48
49 * Use gpg-agent.
50
51 See README.gpg-agent.
52
53 -- Christoph Berg <cb@df7cb.de> Sat, 2 Jul 2005 21:22:07 +0200
54