trezor-agent/README-GPG.md

97 lines
3.2 KiB
Markdown
Raw Normal View History

2016-07-30 11:52:50 +00:00
Note: the GPG-related code is still under development, so please try the current implementation
and feel free to [report any issue](https://github.com/romanz/trezor-agent/issues) you have encountered.
Thanks!
2016-07-30 11:45:50 +00:00
2016-06-20 19:38:30 +00:00
# Installation
2016-05-07 10:02:10 +00:00
First, verify that you have GPG 2.1.11+ installed
([Debian](https://gist.github.com/vt0r/a2f8c0bcb1400131ff51),
[macOS](https://sourceforge.net/p/gpgosx/docu/Download/)):
2016-06-20 19:13:05 +00:00
2016-05-06 19:16:03 +00:00
```
2016-05-07 12:51:01 +00:00
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15
2016-05-06 19:16:03 +00:00
```
This GPG version is included in [Ubuntu 16.04](https://launchpad.net/ubuntu/+source/gnupg2)
and [Linux Mint 18](https://community.linuxmint.com/software/view/gnupg2).
2017-05-06 18:13:07 +00:00
Update you device firmware to the latest version and install your specific `agent` package:
2016-06-20 19:13:05 +00:00
```
2017-05-06 18:13:07 +00:00
$ pip install --user (trezor|keepkey|ledger)_agent
```
2016-10-22 19:44:45 +00:00
# Quickstart
2016-05-07 10:15:29 +00:00
2016-10-24 16:48:47 +00:00
## Identity creation
[![asciicast](https://asciinema.org/a/90416.png)](https://asciinema.org/a/90416)
2016-06-20 19:13:05 +00:00
In order to use specific device type for GPG indentity creation, use either command:
```
$ DEVICE=(trezor,ledger) ./scripts/gpg-init "John Doe <john@doe.bit>"
```
2016-10-24 16:48:47 +00:00
## Sample usage (signature and decryption)
[![asciicast](https://asciinema.org/a/120441.png)](https://asciinema.org/a/120441)
2016-05-07 10:02:10 +00:00
In order to use specific device type for GPG operations, set the following environment variable to either:
```
$ export GNUPGHOME=~/.gnupg/{trezor,ledger}
```
2016-11-11 18:05:47 +00:00
You can use GNU Privacy Assistant (GPA) in order to inspect the created keys
and perform signature and decryption operations using:
```
$ sudo apt install gpa
$ GNUPGHOME=~/.gnupg/trezor gpa
2016-11-11 18:05:47 +00:00
```
[![GPA](https://cloud.githubusercontent.com/assets/9900/20224804/053d7474-a849-11e6-87f3-ab07dc536158.png)](https://www.gnupg.org/related_software/swlist.html#gpa)
2016-05-07 12:51:01 +00:00
## Git commit & tag signatures:
Git can use GPG to sign and verify commits and tags (see [here](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)):
2016-05-07 10:02:10 +00:00
```
$ git config --local gpg.program $(which gpg2)
2016-05-07 12:51:01 +00:00
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag v1.2.3 --sign # create GPG-signed tag
$ git tag v1.2.3 --verify # verify tag signature
2016-10-04 16:59:08 +00:00
```
2017-03-28 18:21:35 +00:00
## Password manager
First install `pass` from [passwordstore.org](https://www.passwordstore.org/) and initialize it to use your TREZOR-based GPG identity:
```
$ export GNUPGHOME=~/.gnupg/trezor
2017-03-28 18:21:35 +00:00
$ pass init "Roman Zeyde <roman.zeyde@gmail.com>"
Password store initialized for Roman Zeyde <roman.zeyde@gmail.com>
```
Then, you can generate truly random passwords and save them encrypted using your public key (as separate `.gpg` files under `~/.password-store/`):
```
$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│   └── github
├── Social
│   ├── hackernews
│   └── twitter
└── VPS
└── linode
```
In order to paste them into the browser, you'd need to decrypt the password using your hardware device:
```
$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.
```
You can also use the following [Qt-based UI](https://qtpass.org/) for `pass`:
```
$ sudo apt install qtpass
$ GNUPGHOME=~/.gnupg/trezor qtpass
```