trezor-agent/trezor_agent/gpg
2016-05-21 07:44:27 +03:00
..
__init__.py gpg: pydocstyle fixes 2016-04-24 12:22:02 +03:00
agent.py agent: raise explicit error when signature fails 2016-05-07 20:49:51 +03:00
decode.py gpg: handle ECDH keys 2016-05-12 22:15:05 +03:00
encode.py gpg: no visual challenge 2016-05-21 07:44:27 +03:00
proto.py gpg: handle multiple packets 2016-04-30 21:07:19 +03:00
README.md gpg: update required firmware version 2016-05-08 21:19:28 +03:00
signer.py gpg: use environment variable for user_id 2016-05-07 09:41:58 +03:00
trezor-git-gpg-wrapper.sh gpg: use environment variable for user_id 2016-05-07 09:41:58 +03:00

Using TREZOR as hardware GPG agent

Generate new GPG signing key:

First, verify that you have GPG 2.1+ installed:

$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.11

Update you TREZOR firmware to the latest version (at least 5430c82): see a sample build log.

Install the latest development version of trezor-agent:

$ pip install git+https://github.com/romanz/trezor-agent.git@master

Define your GPG user ID as an environment variable:

$ export TREZOR_GPG_USER_ID="John Doe <john@doe.bit>"

There are two ways to generate TREZOR-based GPG public keys, as described below.

(1) create new GPG identity:

$ trezor-gpg create > identity.pub           # create new TREZOR-based GPG identity
$ gpg2 --import identity.pub                 # import into local GPG public keyring
$ gpg2 --list-keys                           # verify that the new identity is created correctly
$ gpg2 --edit "${TREZOR_GPG_USER_ID}" trust  # OPTIONAL: mark the key as trusted

asciicast

(2) create new subkey for an existing GPG identity:

$ gpg2 --list-keys "${TREZOR_GPG_USER_ID}"   # make sure this identity already exists
$ trezor-gpg create --subkey > identity.pub  # create new TREZOR-based GPG subkey
$ gpg2 --import identity.pub                 # append it to an existing identity
$ gpg2 --list-keys "${TREZOR_GPG_USER_ID}"   # verify that the new subkey is added to keyring

subkey

Generate GPG signatures using a TREZOR device:

$ trezor-gpg sign EXAMPLE                    # confirm signature using the device
$ gpg2 --verify EXAMPLE.asc                  # verify using standard GPG binary

sign

Git commit & tag signatures:

Git can use GPG to sign and verify commits and tags (see here):

$ git config --local gpg.program "trezor-git-gpg-wrapper.sh"
$ git commit --gpg-sign                      # create GPG-signed commit
$ git log --show-signature -1                # verify commit signature
$ git tag --sign "TAG"                       # create GPG-signed tag
$ git verify-tag "TAG"                       # verify tag signature

asciicast