Today I signed a GnuPG key using my air-gapped master private key,
and then tried to send the signature to the key owner from
my network-connected workstation using caff.
This failed miserably, with caff unable to find a valid signature,
gpg --list-secret-keys missing the (stub) private key.
It turns out that I had inadvertently upgraded GnuPG on this workstation
to version 2.1.2, which has a completely revamped secret keys handling:
secret key material is now entirely handled by
--secret-keyring command line option for
depends on) is now
GnuPG 2.1 apparently also chokes on some legacy keys, and the work-around is to reimport the keyring manually.
caff has been fixed
to support GnuPG 2.1. However this depends on GnuPG 2.1.3 or newer,
which is not in the ports tree yet,
so for the time being I have reverted
to the “stable” 2.0 release:
portmaster -o security/gnupg20 gnupg.