signing-party: complete toolkit for efficient key-signing!

February 18th, 2007 edited by lucas

Entry submitted by Thijs Kinkhorst. DPOTD needs your help, please contribute !

signing-party is a package combining a set of tools used in managing OpenPGP / GnuPG cryptographic keys. The most important tools in this package are used in preparing for or processing the results of gatherings to exchange key signatures, hence the name “signing-party”. If you are coming to FOSDEM next week-end, you should definitely have a look at it!

The two tools most interesting for the average user are gpg-key2ps and caff.

gpg-key2ps is used before attending a signing party. The script takes your public key and creates PostScript (PS) output that has your key fingerprint and userid’s nicely formatted on paper slips. The only thing left for you to do is to cut the paper.

When you arrive home after the signing event, you need a way to process all these paper slips. That’s where caff comes in. Give it a list of key-ID’s, and it will cycle through them, present you with the key’s fingerprint and asks you to confirm that it matches the paper you got.

The most important part about the signing process is that you verified the key owner’s real identity. However, caff adds additional security to that: it encrypts your signature on their key with their own key, and then mails it to them. It mails the signature for a specific user ID to the emailaddress on that user ID. This brings additional security: before the recipient can add your signature to their key, they must decrypt it with their private key, proving that they indeed have access to the key they claimed to be theirs. By mailing to the email addresses on the key user ID’s, it is also verified that the key owner can indeed read that address. All this you get for free - caff stands for “CA fire and forget”: you confirm that fingerprints match, and caff handles the rest.

Target Users:

  • Anyone signing OpenPGP keys.

Further reading:

The signing-party package is available in both Debian and Ubuntu. The caff tool is only available in Debian Etch and up, or in the package from

Posted in Debian, Ubuntu |

2 Responses

  1. Samat Jain Says:

    caffe isn’t very friendly to desktop users, as it requires a local MTA or SMTP server, and has a very unfriendly configuration file.

    For KMail users, I’ve written a quick script that automates key signing and sends e-mails via KMail.

  2. uomo Says:

    The information I found here was rather helpful. Thank you for this.