trezor-agent/trezor_agent/gpg
2016-06-06 23:02:14 +03:00
..
tests HACK: fixup tests 2016-06-02 22:25:44 +03:00
__init__.py gpg: pydocstyle fixes 2016-04-24 12:22:02 +03:00
__main__.py gpg: move agent main code to __main__ 2016-06-04 09:53:23 +03:00
agent.py gpg: use local version 2016-06-04 19:45:03 +03:00
decode.py gpg: add more UTs for decode 2016-05-27 21:52:00 +03:00
encode.py gpg: refactor create_* methods 2016-06-04 20:54:07 +03:00
keyring.py gpg: use local version 2016-06-04 19:45:03 +03:00
proto.py gpg: fix keygrip computation 2016-06-03 17:41:31 +03:00
README.md gpg: use "gpg2" for 'git config --local gpg.program' 2016-06-06 23:02:14 +03:00

Using TREZOR as hardware GPG agent

Generate new GPG signing key:

First, verify that you have GPG 2.1+ installed:

$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.11

Update you TREZOR firmware to the latest version (at least 5430c82): see a sample build log.

Install the latest development version of trezor-agent:

$ pip install git+https://github.com/romanz/trezor-agent.git@master

Define your GPG user ID as an environment variable:

$ export TREZOR_GPG_USER_ID="John Doe <john@doe.bit>"

There are two ways to generate TREZOR-based GPG public keys, as described below.

(1) create new GPG identity:

$ trezor-gpg create > identity.pub           # create new TREZOR-based GPG identity
$ gpg2 --import identity.pub                 # import into local GPG public keyring
$ gpg2 --list-keys                           # verify that the new identity is created correctly
$ gpg2 --edit "${TREZOR_GPG_USER_ID}" trust  # OPTIONAL: mark the key as trusted

asciicast

(2) create new subkey for an existing GPG identity:

$ gpg2 --list-keys "${TREZOR_GPG_USER_ID}"   # make sure this identity already exists
$ trezor-gpg create --subkey > identity.pub  # create new TREZOR-based GPG subkey
$ gpg2 --import identity.pub                 # append it to an existing identity
$ gpg2 --list-keys "${TREZOR_GPG_USER_ID}"   # verify that the new subkey is added to keyring

subkey

Generate GPG signatures using a TREZOR device:

$ trezor-gpg sign EXAMPLE                    # confirm signature using the device
$ gpg2 --verify EXAMPLE.asc                  # verify using standard GPG binary

sign

Git commit & tag signatures:

Git can use GPG to sign and verify commits and tags (see here):

$ git config --local gpg.program "gpg2"
$ git commit --gpg-sign                      # create GPG-signed commit
$ git log --show-signature -1                # verify commit signature
$ git tag --sign "TAG"                       # create GPG-signed tag
$ git verify-tag "TAG"                       # verify tag signature

asciicast