2016-07-30 11:45:50 +00:00
Note: the GPG-related code is still under development,
so please try the current implementation and feel free
to report any issue you have encountered. Thanks!
2016-06-20 19:38:30 +00:00
# Installation
2016-05-07 10:02:10 +00:00
2016-05-07 12:51:01 +00:00
First, verify that you have GPG 2.1+ [installed ](https://gist.github.com/vt0r/a2f8c0bcb1400131ff51 ):
2016-06-20 19:13:05 +00:00
2016-05-06 19:16:03 +00:00
```
2016-05-07 12:51:01 +00:00
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.11
2016-05-06 19:16:03 +00:00
```
2016-06-20 19:13:05 +00:00
Update you TREZOR firmware to the latest version (at least [c720614 ](https://github.com/trezor/trezor-mcu/commit/c720614f6e9b9c07f446c95bda0257980d942871 )).
Install latest `trezor-agent` package from [gpg-agent ](https://github.com/romanz/trezor-agent/commits/gpg-agent ) branch:
2016-05-07 17:41:34 +00:00
```
2016-06-20 19:13:05 +00:00
$ pip install git+https://github.com/romanz/trezor-agent.git@gpg-agent
2016-05-07 17:41:34 +00:00
```
2016-05-07 12:51:01 +00:00
Define your GPG user ID as an environment variable:
```
$ export TREZOR_GPG_USER_ID="John Doe < john @ doe . bit > "
2016-05-06 19:16:03 +00:00
```
2016-05-07 10:15:29 +00:00
2016-05-07 12:51:01 +00:00
There are two ways to generate TREZOR-based GPG public keys, as described below.
2016-05-07 10:15:29 +00:00
2016-06-20 19:13:05 +00:00
## 1. generate a new GPG identity:
2016-05-07 06:41:58 +00:00
```
2016-06-20 19:13:05 +00:00
$ trezor-gpg create | gpg2 --import # use the TREZOR to confirm signing the primary key
gpg: key 5E4D684D: public key "John Doe < john @ doe . bit > " imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg2 --edit "${TREZOR_GPG_USER_ID}" trust # set this key to ultimate trust (option #5 )
$ gpg2 -k
/home/roman/.gnupg/pubring.kbx
------------------------------
pub nistp256/5E4D684D 2016-06-17 [SC]
uid [ultimate] John Doe < john @ doe . bit >
sub nistp256/A31D9E25 2016-06-17 [E]
2016-05-07 06:41:58 +00:00
```
2016-05-07 10:15:29 +00:00
2016-06-20 19:13:05 +00:00
## 2. generate a new subkey for an existing GPG identity:
2016-05-06 19:16:03 +00:00
```
2016-06-20 19:13:05 +00:00
$ gpg2 -k # suppose there is already a GPG primary key
/home/roman/.gnupg/pubring.kbx
------------------------------
pub rsa2048/87BB07B4 2016-06-17 [SC]
uid [ultimate] John Doe < john @ doe . bit >
sub rsa2048/7176D31F 2016-06-17 [E]
$ trezor-gpg create --subkey | gpg2 --import # use the TREZOR to confirm signing the subkey
gpg: key 87BB07B4: "John Doe < john @ doe . bit > " 2 new signatures
gpg: key 87BB07B4: "John Doe < john @ doe . bit > " 2 new subkeys
gpg: Total number processed: 1
gpg: new subkeys: 2
gpg: new signatures: 2
$ gpg2 -k
/home/roman/.gnupg/pubring.kbx
------------------------------
pub rsa2048/87BB07B4 2016-06-17 [SC]
uid [ultimate] John Doe < john @ doe . bit >
sub rsa2048/7176D31F 2016-06-17 [E]
sub nistp256/DDE80B36 2016-06-17 [S]
sub nistp256/E3D0BA19 2016-06-17 [E]
2016-05-07 12:51:01 +00:00
```
2016-05-06 19:16:03 +00:00
2016-06-20 19:13:05 +00:00
# Usage examples:
## Start the TREZOR-based gpg-agent:
2016-05-06 19:16:03 +00:00
```
2016-06-20 19:13:05 +00:00
$ trezor-gpg agent &
```
Note: this agent intercepts all GPG requests, so make sure to close it (e.g. by using `killall trezor-gpg` ),
when you are done with the TREZOR-based GPG operations.
## Sign and verify GPG messages:
```
$ echo "Hello World!" | gpg2 --sign | gpg2 --verify
gpg: Signature made Fri 17 Jun 2016 08:55:13 PM IDT using ECDSA key ID 5E4D684D
gpg: Good signature from "Roman Zeyde < roman.zeyde @ gmail . com > " [ultimate]
```
## Encrypt and decrypt GPG messages:
```
$ date | gpg2 --encrypt -r "${TREZOR_GPG_USER_ID}" | gpg2 --decrypt
gpg: encrypted with 256-bit ECDH key, ID A31D9E25, created 2016-06-17
"Roman Zeyde < roman.zeyde @ gmail . com > "
Fri Jun 17 20:55:31 IDT 2016
2016-05-06 19:16:03 +00:00
```
2016-05-07 10:02:10 +00:00
2016-05-07 12:51:01 +00:00
## Git commit & tag signatures:
Git can use GPG to sign and verify commits and tags (see [here ](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work )):
2016-05-07 10:02:10 +00:00
```
2016-06-20 19:13:05 +00:00
$ git config --local gpg.program gpg2
2016-05-07 12:51:01 +00:00
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag --sign "TAG" # create GPG-signed tag
$ git verify-tag "TAG" # verify tag signature
2016-06-20 19:13:05 +00:00
```