Package: signing-party
Version: 2.2-1
Severity: wishlist

Hello,

I am interested in using CAFF on an airgapped machine, which at the
moment is somewhat non-obvious. If I can find the time, I would like to
develop some kind of CSR-like workflow, would others be interested in this?

The kind of workflow that I was thinking of would go something like this:

[connected machine]
caff --write-csr csr.tar.gz <fingerprints>

[airgapped machine]
caff --sign-csr csr.tar.gz --output csr.signed.tar.gz

[connected machine]
caff --mail-from-csr csr.signed.tar.gz

csr.tar.gz would be a tarball containing the keys to be signed, and
csr.signed.tar.gz would be a tarball containing a key file per
fingerprint/UID-pair.

I originally emailled Guilhem, who had the following to say:
-------------------------------------------------------------------------
On Wed, 10 Feb 2016 at 01:39:23 +0100, Lachlan Gunn wrote:
> I keep my master key on an offline machine, which as far as I can tell
> rules out using CAFF at the moment, unfortunately.

Not exactly.  You can use the method described in
/usr/share/doc/signing-party/caff/README.many-keys (but indeed it's not
very convenient).

  online ~$ xargs caff --no-sign --no-export-old --no-mail
<ksp-fingerprints.txt
  # copy the keys to the airgap
  offline ~$ xargs caff --no-download --no-export-old --no-mail
<ksp-fingerprints.txt
  # copy the signed keys from the airgap's .caff/gnupghome
  online ~$ xargs caff --no-download --no-sign --no-export-old
<ksp-fingerprints.txt

> For my purposes, it would be nice to be able to use some kind of
> CSR-like workflow where I could run it on my main machine, generate a
> directory/tarball that I can copy to my laptop with the keys, do the
> actual signing, and then rather than emailing the results generate
> another directory/tarball that I can copy back to do the automatic
> emailling.

18months ago Ximin Luo asked me whether I would be interred in
integrating wrapper agcaff [0] for offline signing.  My main issue with
it is the hardcoded path and filenames.

Instead, I came up with that (not released):

  online ~$ caff -EMS --export-keys /mnt/keyring.asc --export-keylist
/mnt/fprs.txt </path/to/participants.txt
  offline ~$ xargs caff -MR --export-signatures --key-file
/mnt/keyring.asc </mnt/fprs.txt
  online ~$ xargs caff -RS --key-file /mnt/keyring.asc </mnt/fprs.txt

The downside here is that the user would have to mount manually (but I
don't think caff should assume anything on the transport in use anyway).
-------------------------------------------------------------------------

Thanks,
Lachlan

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to