---
layout: post
title: "GnuPG 2.1.2 doesn't work with caff"
date: 2015-05-09 01:50:02 +0200
comments: true
categories: 
---

Today I signed a GnuPG key using my air-gapped master private key,
and then tried to send the signature to the key owner from
my network-connected workstation using [caff](https://wiki.debian.org/caff).
This failed miserably, with caff unable to find a valid signature,
and `gpg --list-secret-keys` missing the (stub) private key.

It turns out that I had inadvertently upgraded GnuPG on this workstation
to version 2.1.2, which has a [completely revamped secret keys handling](https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring):
secret key material is now entirely handled by `gpg-agent`, and
the `--secret-keyring` command line option for `gpg` (which `caff`
depends on) is now
[obsolete](https://lists.gnupg.org/pipermail/gnupg-devel/2014-December/029296.html).

GnuPG 2.1 apparently also chokes on some legacy keys, and the work-around
is to [reimport the keyring manually](http://jo-ke.name/wp/?p=111).

`caff` has been [fixed](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771857)
to support GnuPG 2.1. However this depends on GnuPG 2.1.3 or newer,
which is [not in the ports tree yet](https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200057),
so for the time being I have reverted
to the "stable" 2.0 release: `portmaster -o security/gnupg20 gnupg`.