On Fri, 12 Feb 2016 at 15:34:27 +0100, Lachlan Gunn wrote: > I am interested in using CAFF on an airgapped machine, which at the > moment is somewhat non-obvious. If I can find the time, I would like to > develop some kind of CSR-like workflow, would others be interested in this? > The kind of workflow that I was thinking of would go something like this: > > [connected machine] > caff --write-csr csr.tar.gz <fingerprints>
The gzipped tarball format looks really overkill. How about an OpenPGP keyring (possibly armored)? No need for caff here, gpg(1) can do this alone: gpg --export <fingerprints> >/tmp/keyring.gpg (you could also add ‘--export-options export-minimal’) > [airgapped machine] > caff --sign-csr csr.tar.gz --output csr.signed.tar.gz Then it's just caff --key-file /tmp/keyring.gpg <fingerprints> > [connected machine] > caff --mail-from-csr csr.signed.tar.gz I guess this is the most cumbersome step with the current workflow, since one needs to export the signed keys from caff's own GNUPGHOME. How about an option ‘--signed-key-file’ (and ‘--lsigned-key-file’ for local sigs)? Caff would export all signed keys in the specified file. Then on the online machine, you could run caff -SR --key-file /tmp/signed-keyring.gpg <fingerprints> -- Guilhem.
signature.asc
Description: PGP signature

