This describes the settings available in the robotca.ini file. The file
should have one [robotca] section which contains all values. You can put
other sections in the file and use the -i option to select one
of them instead of the default [robotca].
| var | default | necessity | description |
|---|---|---|---|
| gpgbin | /usr/bin/gpg | unneeded | The path to GnuPG. |
| DEBUG | 0 | unneeded | Set to 1 to turn on debugging.
Command line -d option overrides this setting.
|
| expectlog | 0 | unneeded | Set to 1 to to get the Expect module to log its activities to stdout (used for debugging) |
| myaddr | none | recommended | This is used in the reply mail. It's also used to detect loops (keys with the robot's address). |
| mykey | none | recommended | This is the key fingerprint for the robot's own key. If it's present, the the robot will export its own key along with the user's signed key. Otherwise, it will export only the user's signed key. |
| histfile | none | recommended | This is the name of the file used to store history. The robot won't create this file if it doesn't exist. The history file is used to track when the robot signed keys for a particular email address, so it doesn't sign an address too often. This file must be a valid Perl script; it is executed by the robot. |
| passphrase | none | required | This is the passphrase for the robot's key. It's used when interacting with gpg to sign a key. |
| sign_freq | 86400 (24 hours) | unneeded | This controls how often the robot is allowed to sign for the same email address. It keeps a mallicious user from anonymously flooding a victim with signed keys. It's the number of seconds between signings. |
| operator | none | recommended | This is the email address of the robot's operator. It's put in the response email to the user. It's also the recipient if the 'mailop' option is on. |
| mailop | 0 | unneeded | Set to 1 to get a copy of every signed key sent to the operator. Useful for debugging. Be sure to delete the resulting emails since they could contain signed keys for users whose email bounced and should not be signed. |
| url | none | recommended | This is the URL for the robot's home page. It's included in the response email set to the user. |
| logfile | none | recommended | This is the name of a file to use for logging. If there's a problem, it may contain the only hints you get. It will log a line for every key it signs, and for every failure. |
| sigclass | 0 | unneeded | This is the answer to GnuPG's question about how carefully you've verified the identiy of the key's owner. It must be one of 0, 1, 2, or 3. I consider 3 to be a bad value for this application. I run mine with 0. |
| cert_expire | 0 | recommended | Make signatures expire in this many days. 0 = no expiration. You can append 'w', 'm', or 'y' to make this weeks, months, or years ('3w' is three weeks). |
| cert_url | url | recommended | This is set as the policy URL on the signature. If not given, this defaults to the 'url' parameter. If you want to have a 'url' but not 'cert_url', set this explicitly to blank. |
| sign_email_only | 0 | optional | Flag that when set makes the robot sign only UIDs that do not contain a real name or comment. It will only sign UIDs that contain only an email address. Note that it's very liberal about what it accepts as characters in an email address. |
[robotca] DEBUG=0 logfile=/home/robotca/log myaddr=robotca@toehold.com histfile=/home/robotca/history passphrase=XXX mykey=9A53 74CE 8CC3 13FB E2D2 1183 1058 1685 C521 097E operator=rcaop@toehold.com url=http://www.toehold.com/robotca/ cert_expire=3m