This page lists scripts for assisting in running or participating in key signing parties. For scripts that sign keys fully automatically please see RobotCA.

Scripts which help organise a party:

Scripts which help participants do the signatures after a party:

  • by Dr Bacchus Perl ref
  • caff (CA fire and forget) by in Perl ref
  • cabot by Ian Jackson, Joost van Baal, Laurent Fousse and Peter Palfrader in Perl ref.

If you use one of these scripts, please add comments / opinions.

Simple keysigning with caff on Ubuntu:

Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at 2006.


Install some packages: apt-get install signing-party gnupg-agent pinentry-gtk2

signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign.

I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console.

Setting up your keysigning files

Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpressions to cut out only the 8-digit key fingerprint, so I had a file that looked like this:


Configure a couple of things:

Add use-agent so caff will use gpg-agent (note, caff uses its own GPG environment files)
default-cache-ttl 600
pinentry-program /usr/bin/pinentry-gtk-2 (change for the correct pinentry program)
add $CONFIG{'gpg-sign-args'} = "save"; (as per /usr/share/doc/signing-party/caff/README.many-keys)

A short aside for Ubuntu/Postfix users

If you're running a default Ubuntu insatllation, your MTA is Postfix. This setup will generae e-mail with envelope headers from username@localhost.localdomain (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding smtp_generic_maps = hash:/etc/postfix/generic to /etc/postfix/, and creating an /etc/postfix/generic file like so:


I then had to run postmap /etc/postfix/generic. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a DSL IP address.

If I'd known this BEFORE running caff, I would have fixed it with apt-get install exim4. :)

If any Postfix gurus read this, can they please tidy this section up?

Performing the signing

Start gpg-agent: eval `gpg-agent --daemon`

And start signing keys: caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`

In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail. It is important to use backticks rather than xargs to pass the list of keys to sign -- caff uses standard in for its own confirmations after signing, and when run from xargs can bail out ungracefully after emailing a subset of the signed keys.

Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed.

It is good form to be checking against your list as you go, even at this point.

caff will then mail out on your behalf a message like this:


please find attached the user id.
        Pie Man <>
of your key DEADBEEFBAADF00D signed by me.

Note that I did not upload your key to any keyservers.
If you have multiple user ids, I sent the signature for each user id
separately to that user id's associated email address. You can import
the signatures by running each through `gpg --import`.

If you want this new signature to be available to others, please upload
it yourself. With GnuPG this can be done using
      gpg --keyserver --send-key DEADBEEFBAADF00D

If you have any questions, don't hesitate to ask.

Key Signer

Your work here is done.