Package: signing-party Version: 2.2-1 Severity: wishlist Hello,
I am interested in using CAFF on an airgapped machine, which at the moment is somewhat non-obvious. If I can find the time, I would like to develop some kind of CSR-like workflow, would others be interested in this? The kind of workflow that I was thinking of would go something like this: [connected machine] caff --write-csr csr.tar.gz <fingerprints> [airgapped machine] caff --sign-csr csr.tar.gz --output csr.signed.tar.gz [connected machine] caff --mail-from-csr csr.signed.tar.gz csr.tar.gz would be a tarball containing the keys to be signed, and csr.signed.tar.gz would be a tarball containing a key file per fingerprint/UID-pair. I originally emailled Guilhem, who had the following to say: ------------------------------------------------------------------------- On Wed, 10 Feb 2016 at 01:39:23 +0100, Lachlan Gunn wrote: > I keep my master key on an offline machine, which as far as I can tell > rules out using CAFF at the moment, unfortunately. Not exactly. You can use the method described in /usr/share/doc/signing-party/caff/README.many-keys (but indeed it's not very convenient). online ~$ xargs caff --no-sign --no-export-old --no-mail <ksp-fingerprints.txt # copy the keys to the airgap offline ~$ xargs caff --no-download --no-export-old --no-mail <ksp-fingerprints.txt # copy the signed keys from the airgap's .caff/gnupghome online ~$ xargs caff --no-download --no-sign --no-export-old <ksp-fingerprints.txt > For my purposes, it would be nice to be able to use some kind of > CSR-like workflow where I could run it on my main machine, generate a > directory/tarball that I can copy to my laptop with the keys, do the > actual signing, and then rather than emailing the results generate > another directory/tarball that I can copy back to do the automatic > emailling. 18months ago Ximin Luo asked me whether I would be interred in integrating wrapper agcaff [0] for offline signing. My main issue with it is the hardcoded path and filenames. Instead, I came up with that (not released): online ~$ caff -EMS --export-keys /mnt/keyring.asc --export-keylist /mnt/fprs.txt </path/to/participants.txt offline ~$ xargs caff -MR --export-signatures --key-file /mnt/keyring.asc </mnt/fprs.txt online ~$ xargs caff -RS --key-file /mnt/keyring.asc </mnt/fprs.txt The downside here is that the user would have to mount manually (but I don't think caff should assume anything on the transport in use anyway). ------------------------------------------------------------------------- Thanks, Lachlan
signature.asc
Description: OpenPGP digital signature

