lili/amodem
1
0
Fork 0
mirror of https://github.com/romanz/amodem.git synced 2026-05-03 08:27:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: lili:v0.9.4
Branches Tags
lili:master lili:ci lili:fix-division
lili:v1.16.0 lili:v1.15.6 lili:v1.15.5 lili:v0.14.8 lili:v0.14.7 lili:v1.15.4 lili:v0.14.6 lili:v0.14.5 lili:v0.14.4 lili:v0.14.3 lili:v1.15.3 lili:v1.15.2 lili:v0.14.2 lili:v1.15.1 lili:v0.14.1 lili:v0.14.0 lili:v0.13.1 lili:v0.13.0 lili:v0.12.1 lili:v1.15.0 lili:v0.12.0 lili:v0.11.3 lili:v0.11.2 lili:v0.11.1 lili:v0.11.0 lili:v1.14.0 lili:v0.10.0 lili:v1.13.1 lili:v0.9.8 lili:v0.9.7 lili:v0.9.6 lili:v0.9.5 lili:v0.9.4 lili:v0.9.3 lili:v0.9.2 lili:v0.9.1 lili:v0.9.0 lili:v0.8.3 lili:v0.8.1 lili:v0.8.2 lili:v0.8.0 lili:v0.7.6 lili:v0.7.5 lili:v0.7.4 lili:v0.7.3 lili:v0.7.2 lili:v0.6.6 lili:v0.7.0 lili:v0.7.1 lili:v0.6.5 lili:v0.6.4 lili:v0.6.3 lili:v0.6.2 lili:v0.6.1 lili:v0.6 lili:v0.5.1 lili:v0.5.0 lili:v1.13 lili:v0.4.2 lili:v0.4.1 lili:v0.4 lili:v1.12 lili:v0.3 lili:v1.11 lili:v0.2 lili:v0.1 lili:v1.10 lili:v1.9 lili:v1.8 lili:v1.7 lili:v1.6 lili:v1.5 lili:v1.4 lili:v1.3 lili:v1.2 lili:v1.1 lili:v1.0
...
compare: lili:v0.10.0
Branches Tags
lili:master lili:ci lili:fix-division
lili:v1.16.0 lili:v1.15.6 lili:v1.15.5 lili:v0.14.8 lili:v0.14.7 lili:v1.15.4 lili:v0.14.6 lili:v0.14.5 lili:v0.14.4 lili:v0.14.3 lili:v1.15.3 lili:v1.15.2 lili:v0.14.2 lili:v1.15.1 lili:v0.14.1 lili:v0.14.0 lili:v0.13.1 lili:v0.13.0 lili:v0.12.1 lili:v1.15.0 lili:v0.12.0 lili:v0.11.3 lili:v0.11.2 lili:v0.11.1 lili:v0.11.0 lili:v1.14.0 lili:v0.10.0 lili:v1.13.1 lili:v0.9.8 lili:v0.9.7 lili:v0.9.6 lili:v0.9.5 lili:v0.9.4 lili:v0.9.3 lili:v0.9.2 lili:v0.9.1 lili:v0.9.0 lili:v0.8.3 lili:v0.8.1 lili:v0.8.2 lili:v0.8.0 lili:v0.7.6 lili:v0.7.5 lili:v0.7.4 lili:v0.7.3 lili:v0.7.2 lili:v0.6.6 lili:v0.7.0 lili:v0.7.1 lili:v0.6.5 lili:v0.6.4 lili:v0.6.3 lili:v0.6.2 lili:v0.6.1 lili:v0.6 lili:v0.5.1 lili:v0.5.0 lili:v1.13 lili:v0.4.2 lili:v0.4.1 lili:v0.4 lili:v1.12 lili:v0.3 lili:v1.11 lili:v0.2 lili:v0.1 lili:v1.10 lili:v1.9 lili:v1.8 lili:v1.7 lili:v1.6 lili:v1.5 lili:v1.4 lili:v1.3 lili:v1.2 lili:v1.1 lili:v1.0

117 Commits
v0.9.4 ... v0.10.0

Author SHA1 Message Date
Roman Zeyde
a1047ba7b1 Bump version: 0.9.8 → 0.10.0 2018-03-03 21:02:10 +02:00
Roman Zeyde
e90bd0cd81 trezor: refactor transport enumeration a bit 2018-03-03 20:22:22 +02:00
slush
66e3e60370 trezor: Use composite transport for device detection. 2018-03-03 01:25:19 +01:00
slush
3f1604d609 Use Python3 by default 2018-03-03 01:24:08 +01:00
slush
d0f4cccfd2 trezor: Both Trezor One and Model T are supported. 2018-03-03 01:23:35 +01:00
Roman Zeyde
08d81c992c trezor: split pinentry tool into a separate file 2018-02-27 11:17:53 +02:00
Roman Zeyde
55a899f929 trezor: initialize cached_passphrase_ack with None (instead of 0) 2018-02-27 10:33:19 +02:00
Roman Zeyde
e7604dff68 ssh: fix small commandline documentation nits 2018-02-27 09:53:37 +02:00
rendaw
8849545700 Clarify a couple sentences 2018-02-27 03:00:16 +09:00
rendaw
d109cd73b5 Adjust ssh systemd instructions; cleanup 2018-02-27 02:48:23 +09:00
rendaw
95e98d6eda Merge remote-tracking branch 'upstream/master' into doc-enhancements2 2018-02-27 02:30:00 +09:00
rendaw
9e78d52721 SSH clarification 2018-02-27 02:29:54 +09:00
Roman Zeyde
2a76ef6819 gpg: notice encryption of gpg-agent logs (for privacy) 2018-02-24 23:49:35 +02:00
Roman Zeyde
654a3c465a Merge remote-tracking branch 'rendaw/systemd-instructions' 2018-02-24 21:35:30 +02:00
Roman Zeyde
2168115b06 ssh: fixup small refactoring bug 2018-02-24 21:23:47 +02:00
Roman Zeyde
4a9140c42d Merge branch 'serge' 2018-02-24 21:07:42 +02:00
Roman Zeyde
b20d98bf57 gpg: move socket path generation into a helper function 2018-02-24 21:03:30 +02:00
Roman Zeyde
199fb299c3 gpg: use 'sys.exit' and log homedir 2018-02-24 20:46:04 +02:00
rendaw
06e169f141 Add instructions for using SSH agent as systemd unit 2018-02-24 03:08:46 +09:00
rendaw
131111bc0e Add additional information to docs; collect and reorganize sections 2018-02-23 20:55:46 +09:00
Roman Zeyde
f4208009e0 trezor: init_device before failing PIN/passphrase entry 2018-02-22 11:19:26 +02:00
Roman Zeyde
73d60dbec0 gpg: cache the passphrase for better UX 2018-02-21 11:35:38 +02:00
Roman Zeyde
34ea224290 gpg: the scripts should be only user-readable 2018-02-20 21:21:45 +02:00
Roman Zeyde
7803026f61 gpg: allow setting passphrase from environment variable 
as done by TREZOR's client library
 2018-02-20 09:59:15 +02:00
Roman Zeyde
34ce1005fd build: add simple script for PyPI release 2018-02-19 15:12:01 +02:00
Roman Zeyde
8677c8ebaa trezor_agent: fix broken PyPI package 2018-02-19 13:15:49 +02:00
Serge Pokhodyaev
6363eb0d4a add -f/--foreground option to run as systemd service 2018-02-18 21:08:36 +03:00
Serge Pokhodyaev
a32bfc749b don't overwrite homedir 2018-02-18 20:24:22 +03:00
Roman Zeyde
75d117ad0d Bump version: 0.9.7 → 0.9.8 2018-02-15 19:10:40 +02:00
Roman Zeyde
cefc5f180a ssh: add --sock-path flag to explicitly specify SSH agent's UNIX socket 2018-02-15 19:08:13 +02:00
Roman Zeyde
0f5c71b748 ssh: add --log-file flag 2018-02-15 18:50:50 +02:00
Roman Zeyde
d5f97b7efa Update README title 2018-02-15 15:15:16 +02:00
Roman Zeyde
4a12bfa0b7 Allow SSH agent to daemonize when invoked with -d flag 
This change adds the support for "eval `trezor-agent -d`" invocation.
 2018-02-15 15:10:34 +02:00
Roman Zeyde
cac889ff7d Update trezorlib dependency for trezor_agent 2018-02-15 14:27:29 +02:00
Roman Zeyde
92c6e680ed doc: add python-tk dependency 
Following #194
 2018-02-04 11:49:21 +02:00
Roman Zeyde
bf294beb56 gpg: decode stdout as UTF-8 2018-01-30 20:18:19 +02:00
Roman Zeyde
713345918e ssh: document sub-shell mode 2018-01-26 11:20:14 +02:00
Roman Zeyde
eb60c2f475 fix more pylint issues 2018-01-24 18:37:30 +02:00
Roman Zeyde
6d8d43db9b fix pylint issues 2018-01-22 21:24:16 +02:00
Roman Zeyde
3e67bc9f0e gpg: log GnuPG commands' output 2018-01-22 20:16:32 +02:00
Roman Zeyde
38b50485de ssh: remove old demo from README 2018-01-20 18:29:39 +02:00
Roman Zeyde
9cba27b31a Merge pull request #188 from eli-b/patch-2 
README-SSH.md: spelling
 2018-01-14 11:50:01 -08:00
Eli Boyarski
00a65a9820 README-SSH.md: spelling 2018-01-13 20:27:52 +02:00
Roman Zeyde
52ad601e66 Merge pull request #187 from eli-b/patch-1 
INSTALL.md: update the Ledger Nano S udev link
 2018-01-13 10:15:22 -08:00
Eli Boyarski
d96a2820ff INSTALL.md: update the Ledger Nano S udev link 2018-01-13 18:12:59 +02:00
Roman Zeyde
29aaf777ad Bump version: 0.9.6 → 0.9.7 2018-01-10 21:35:40 +02:00
Roman Zeyde
385fc9457b Support multiple devices 2018-01-05 20:53:42 +02:00
Jonathan Roelofs
9cf73f677a Show libagent version too 2018-01-01 23:05:37 +00:00
Jonathan Roelofs
ec97cd0c44 Implement #182 2017-12-29 09:23:06 -07:00
Jonathan Roelofs
4cd7dc02eb Fix an argparse nuance 
https://bugs.python.org/issue16308
 2017-12-29 08:54:31 -07:00
Roman Zeyde
8fe9460ed6 trezor: allow UDP connection (for emulator) 2017-12-23 16:59:12 +02:00
Roman Zeyde
db16aa3d1c trezor: update to latest trezorlib version 2017-12-23 16:51:37 +02:00
Roman Zeyde
41ccd2f332 fix new pylint warning 2017-12-22 17:10:27 +02:00
Roman Zeyde
cb14d1e00b Bump version: 0.9.5 → 0.9.6 2017-12-14 20:45:42 +02:00
Roman Zeyde
cc6ee31deb add .bumpversion.cfg 2017-12-14 20:36:00 +02:00
Roman Zeyde
b1f302151b tests: fix test_server.py 2017-12-13 21:12:29 +02:00
Roman Zeyde
fde50f04ab Merge branch 'config' 2017-12-08 21:50:22 +02:00
Roman Zeyde
7e42e455a1 gpg: add an example for adding new user ID 2017-12-06 20:31:10 +02:00
Roman Zeyde
13cd6be2d1 travis: pep8 -> pycodestyle 2017-12-03 21:53:42 +02:00
Roman Zeyde
40469c4100 tox: pep8 -> pycodestyle 2017-12-02 21:14:03 +02:00
Roman Zeyde
0d059587a7 ssh: allow configuration from a file 2017-12-02 21:04:57 +02:00
Roman Zeyde
283cb3d7e8 setup: add ConfigArgParse 2017-12-02 20:43:04 +02:00
Roman Zeyde
51cc716e3f Merge pull request #169 from dirkx/master 
Some background and designn rationale for the use of derived keys
 2017-11-25 09:20:31 +02:00
Roman Zeyde
8b4850b0ce Explain rationale better, several typos fixed, include warning about keepkey not yet supporting encryption/decryption. 2017-11-24 15:27:06 +01:00
Roman Zeyde
f22c07e970 trezor: retry in case of invalid PIN 2017-11-18 20:37:06 +02:00
Roman Zeyde
29c7234ef4 trezor: make sure scrambled PIN is valid 2017-11-18 17:06:23 +02:00
Roman Zeyde
1942e3999b ssh: fix exception type for missing device 2017-11-18 16:50:21 +02:00
Roman Zeyde
f2e52a88be ` -> ' 2017-11-16 23:04:12 +02:00
Roman Zeyde
b26a4cc7b0 A few small fixes 2017-11-16 23:01:30 +02:00
Roman Zeyde
c4dfca04f2 trezor: use UI-based passphrase entry 
Now TREZOR_PASSPHRASE environment variable is ignored.
 2017-11-16 22:36:19 +02:00
Roman Zeyde
a1ecbf447e gpg: return correct keygrip for KEYINFO assuan command 2017-11-16 22:36:17 +02:00
Roman Zeyde
1f9d457e92 gpg: no need to remove the UNIX socket 
Our agent should be invoked and re-used when running 'gpg --import'.
 2017-11-16 21:53:38 +02:00
Roman Zeyde
cb3477fc69 Merge branch 'which-fix' 2017-11-16 21:04:12 +02:00
Roman Zeyde
9bbc66cc16 util: add backport for shutil.which() 2017-11-16 20:59:58 +02:00
Roman Zeyde
06afc971db Merge pull request #166 from aitorpazos/master 
doc: Include python3 support in OpenSUSE instructions
 2017-11-15 13:11:29 -08:00
Dirk-Willem van Gulik
2b51a85c26 Rework order of paragraphs for clarity II 2017-11-15 19:57:09 +01:00
Dirk-Willem van Gulik
1906e6d9b0 Rework order of paragraphs for clarity. 2017-11-15 19:56:10 +01:00
Dirk-Willem van Gulik
b3f6e39b48 First cut at a design rationale 2017-11-15 19:53:23 +01:00
Aitor Pazos
8b03b649d5 doc: Include python3 support in OpenSUSE instructions 2017-11-12 20:16:34 +00:00
Roman Zeyde
90cbc41b17 gpg: refactor messagebox UI from PIN entry 2017-11-11 11:16:31 +02:00
Roman Zeyde
4926d4f4d3 gpg: set PATH explicitly for $DEVICE-gpg-agent 2017-11-09 22:13:28 +02:00
Roman Zeyde
d52f295326 gpg: use shutil.which() for Python 3 2017-11-04 17:48:00 +02:00
Max Pixel
47a8a53247 Add OpenSUSE-specific installation instructions 
The packages required are slightly different on OpenSUSE.
 2017-11-04 17:45:57 +02:00
Roman Zeyde
9530c4d7db gpg: use gpgconf for getting gpg binary path 2017-11-03 10:52:27 +02:00
Roman Zeyde
a2d0c1067d gpg: don't hardcode Python binary 2017-10-27 11:27:40 +03:00
Roman Zeyde
3d5717dca1 gpg: use a separate process for PIN entrering UI 2017-10-27 10:43:50 +03:00
Roman Zeyde
08fef24e39 gpg: use pymsgbox for PIN entrering UI 2017-10-21 21:18:00 +03:00
Roman Zeyde
bab46dae5c gpg-agent: use correct GNUPGHOME when getting public keys 2017-10-21 20:49:27 +03:00
Roman Zeyde
e2625cc521 gpg: fail if no public keys are found 2017-10-21 19:16:48 +03:00
Roman Zeyde
7ed76fe472 gpg: use correct GNUPGHOME for gpgconf 2017-10-21 18:46:04 +03:00
Roman Zeyde
a5929eed62 gpg: create config files first 2017-10-21 18:21:38 +03:00
Roman Zeyde
5f722f8ae1 logging: add more DEBUG information 2017-10-21 18:08:40 +03:00
Roman Zeyde
7212b2fa37 Merge pull request #156 from codeHatcher/feature/155 
add documentation related to #155 to help other macOS/OSX users who are
 2017-10-18 01:57:51 -07:00
Avishaan
55e1c614a7 add documentation related to #155 to help other macOS/OSX users who are 
still using system python
 2017-10-17 15:37:11 -04:00
Roman Zeyde
8cf1f0463a device: release HID handle before failing 2017-10-14 17:34:02 +03:00
Roman Zeyde
f177b0b55a bump version 2017-10-11 21:44:53 +03:00
Roman Zeyde
b2450d448c Merge branch 'gpg-init' 2017-10-11 21:43:30 +03:00
Roman Zeyde
93e5f0cd8b gpg: update README for latest CLI 2017-10-11 21:40:05 +03:00
Roman Zeyde
9998456fe0 ledger: add DEBUG logging 2017-10-11 21:15:44 +03:00
Roman Zeyde
0f85ae6e2c Rewrite gpg-init Bash script in Python 2017-10-11 20:26:06 +03:00
Roman Zeyde
44cdeed024 Merge branch 'fix-gpg-prefs' 2017-10-10 20:46:44 +03:00
Roman Zeyde
867e2cfd1b gpg: add MDC support 2017-10-10 20:43:45 +03:00
Roman Zeyde
df6ddab2cf gpg: add compression and stronger digests 2017-10-10 20:43:45 +03:00
Roman Zeyde
5b9f03d198 gpg: show warnings while importing new pubkey 2017-10-10 20:29:31 +03:00
Roman Zeyde
06ea890095 gpg: add note regarding Pinentry 2017-10-10 15:10:56 +03:00
Roman Zeyde
0999a85529 gpg: add documentation for subkey generation 2017-10-10 14:20:17 +03:00
Roman Zeyde
835f283ccf gpg: support multiple keygrips for HAVEKEY command 2017-10-10 13:40:59 +03:00
Roman Zeyde
f57dbb553f gpg: allow setting trezor-gpg arguments via gpg-init script 2017-10-10 13:20:25 +03:00
Roman Zeyde
a890dcc085 gpg: add MDC support 2017-10-10 11:56:25 +03:00
Roman Zeyde
c8ed4a223a gpg: add compression and stronger digests 2017-10-10 11:56:23 +03:00
Roman Zeyde
1ef96bed03 gpg: handle NOP assuan command 2017-10-10 10:04:43 +03:00
Roman Zeyde
e4fdca08e5 ssh: fix identity stringification 2017-10-09 16:24:11 +03:00
Roman Zeyde
51b297e93b doc: add Enigmail tutorial 2017-10-09 10:02:09 +03:00
Roman Zeyde
c22c959cf9 doc: move READMEs to separate directory 2017-10-09 09:37:22 +03:00
Roman Zeyde
3199cb964a Merge branch 'timestamplookup' 2017-10-09 09:34:59 +03:00
Roman Zeyde
c5f245957d README: add spaces around '|' operators 2017-10-09 09:33:09 +03:00
Chris Cowan
fbb3059a0b README: Add a note about how to fetch a key's timestamp. 2017-10-08 17:58:21 -07:00
35 changed files with 1089 additions and 520 deletions
Expand all files Collapse all files

7
.bumpversion.cfg Normal file
View File

@@ -0,0 +1,7 @@
[bumpversion]
commit = True
tag = True
current_version = 0.10.0
[bumpversion:file:setup.py]

3
.pylintrc
View File

@@ -1,2 +1,5 @@
[MESSAGES CONTROL]
disable=invalid-name, missing-docstring, locally-disabled, unbalanced-tuple-unpacking,no-else-return
[SIMILARITIES]
min-similarity-lines=5

6
.travis.yml
View File

@@ -13,13 +13,13 @@ cache:
before_install:
- pip install -U pip wheel
- pip install -U setuptools
- pip install -U pylint coverage pep8 pydocstyle
- pip install -U pylint coverage pycodestyle pydocstyle
install:
- pip install -e .
- pip install -U -e .
script:
- pep8 libagent
- pycodestyle libagent
- pylint --reports=no --rcfile .pylintrc libagent
- pydocstyle libagent
- coverage run --source libagent/ -m py.test -v

70
INSTALL.md
View File

@@ -1,70 +0,0 @@
# Installation
Install the following packages (depending on your distribution):
### Debian
$ apt update && apt upgrade
$ apt install python-pip python-dev libusb-1.0-0-dev libudev-dev
### Fedora/RedHat
$ yum update
$ yum install python-pip python-devel libusb-devel libudev-devel \
gcc redhat-rpm-config
Also, update Python packages before starting the installation:
$ pip install -U setuptools pip
Make sure you are running the latest firmware version on your hardware device.
Currently the following firmware versions are supported:
* [TREZOR](https://wallet.trezor.io/data/firmware/releases.json): `1.4.2+`
* [KeepKey](https://github.com/keepkey/keepkey-firmware/releases): `3.0.17+`
* [Ledger Nano S](https://github.com/LedgerHQ/blue-app-ssh-agent): `0.0.3+` (install [SSH/PGP Agent](https://www.ledgerwallet.com/images/apps/chrome-mngr-apps.png) app)
## TREZOR
Make sure that your `udev` rules are configured [correctly](https://doc.satoshilabs.com/trezor-user/settingupchromeonlinux.html#manual-configuration-of-udev-rules).
Then, install the latest [trezor_agent](https://pypi.python.org/pypi/trezor_agent) package:
$ pip install trezor_agent
Or, directly from the latest source code:
$ git clone https://github.com/romanz/trezor-agent
$ pip install --user -e trezor-agent/agents/trezor
## KeepKey
Make sure that your `udev` rules are configured [correctly](https://support.keepkey.com/support/solutions/articles/6000037796-keepkey-wallet-is-not-being-recognized-by-linux).
Then, install the latest [keepkey_agent](https://pypi.python.org/pypi/keepkey_agent) package:
$ pip install keepkey_agent
Or, directly from the latest source code:
$ git clone https://github.com/romanz/trezor-agent
$ pip install --user -e trezor-agent/agents/keepkey
## Ledger Nano S
Make sure that your `udev` rules are configured [correctly](http://support.ledgerwallet.com/knowledge_base/topics/ledger-wallet-is-not-recognized-on-linux).
Then, install the latest [ledger_agent](https://pypi.python.org/pypi/ledger_agent) package:
$ pip install ledger_agent
Or, directly from the latest source code:
$ git clone https://github.com/romanz/trezor-agent
$ pip install --user -e trezor-agent/agents/ledger
## Troubleshooting
If there is an import problem with the installed `protobuf` package,
see [this issue](https://github.com/romanz/trezor-agent/issues/28) for fixing it.
If you can't find the command-line utilities (after running `pip install --user`),
please make sure that `~/.local/bin` is on your `PATH` variable
(see a [relevant](https://github.com/pypa/pip/issues/3813) issue).

105
README-GPG.md
View File

@@ -1,105 +0,0 @@
Note: the GPG-related code is still under development, so please try the current implementation
and please let me [know](https://github.com/romanz/trezor-agent/issues/new) if something doesn't
work well for you. If possible:
* record the session (e.g. using [asciinema](https://asciinema.org))
* attach the GPG agent log from `~/.gnupg/{trezor,ledger}/gpg-agent.log`
Thanks!
# Installation
First, verify that you have GPG 2.1.11+ installed
([Debian](https://gist.github.com/vt0r/a2f8c0bcb1400131ff51),
[macOS](https://sourceforge.net/p/gpgosx/docu/Download/)):
```
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15
```
This GPG version is included in [Ubuntu 16.04](https://launchpad.net/ubuntu/+source/gnupg2)
and [Linux Mint 18](https://community.linuxmint.com/software/view/gnupg2).
Update you device firmware to the latest version and install your specific `agent` package:
```
$ pip install --user (trezor|keepkey|ledger)_agent
```
# Quickstart
## Identity creation
[![asciicast](https://asciinema.org/a/90416.png)](https://asciinema.org/a/90416)
In order to use specific device type for GPG indentity creation, use either command:
```
$ DEVICE=(trezor,ledger) ./scripts/gpg-init "John Doe <john@doe.bit>"
```
## Sample usage (signature and decryption)
[![asciicast](https://asciinema.org/a/120441.png)](https://asciinema.org/a/120441)
In order to use specific device type for GPG operations, set the following environment variable to either:
```
$ export GNUPGHOME=~/.gnupg/{trezor,ledger}
```
You can use GNU Privacy Assistant (GPA) in order to inspect the created keys
and perform signature and decryption operations using:
```
$ sudo apt install gpa
$ GNUPGHOME=~/.gnupg/trezor gpa
```
[![GPA](https://cloud.githubusercontent.com/assets/9900/20224804/053d7474-a849-11e6-87f3-ab07dc536158.png)](https://www.gnupg.org/related_software/swlist.html#gpa)
## Git commit & tag signatures:
Git can use GPG to sign and verify commits and tags (see [here](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)):
```
$ git config --local commit.gpgsign 1
$ git config --local gpg.program $(which gpg2)
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag v1.2.3 --sign # create GPG-signed tag
$ git tag v1.2.3 --verify # verify tag signature
```
## Password manager
First install `pass` from [passwordstore.org](https://www.passwordstore.org/) and initialize it to use your TREZOR-based GPG identity:
```
$ export GNUPGHOME=~/.gnupg/trezor
$ pass init "Roman Zeyde <roman.zeyde@gmail.com>"
Password store initialized for Roman Zeyde <roman.zeyde@gmail.com>
```
Then, you can generate truly random passwords and save them encrypted using your public key (as separate `.gpg` files under `~/.password-store/`):
```
$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│   └── github
├── Social
│   ├── hackernews
│   └── twitter
└── VPS
└── linode
```
In order to paste them into the browser, you'd need to decrypt the password using your hardware device:
```
$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.
```
You can also use the following [Qt-based UI](https://qtpass.org/) for `pass`:
```
$ sudo apt install qtpass
$ GNUPGHOME=~/.gnupg/trezor qtpass
```
## Re-generation of an existing GPG identity
[![asciicast](https://asciinema.org/a/M4lRjEmGJ2RreQiHBGWT9pzp4.png)](https://asciinema.org/a/M4lRjEmGJ2RreQiHBGWT9pzp4)

87
README-SSH.md
View File

@@ -1,87 +0,0 @@
# Screencast demo usage
## Simple usage (single SSH session)
[![Demo](https://asciinema.org/a/22959.png)](https://asciinema.org/a/22959)
## Advanced usage (multiple SSH sessions from a sub-shell)
[![Subshell](https://asciinema.org/a/33240.png)](https://asciinema.org/a/33240)
## Using for GitHub SSH authentication (via `trezor-git` utility)
[![GitHub](https://asciinema.org/a/38337.png)](https://asciinema.org/a/38337)
## Loading multiple SSH identities from configuration file
[![Config](https://asciinema.org/a/bdxxtgctk5syu56yfz8lcp7ny.png)](https://asciinema.org/a/bdxxtgctk5syu56yfz8lcp7ny)
# Public key generation
Run:
/tmp $ trezor-agent user@ssh.hostname.com -v > hostname.pub
2015-09-02 15:03:18,929 INFO getting "ssh://user@ssh.hostname.com" public key from Trezor...
2015-09-02 15:03:23,342 INFO disconnected from Trezor
/tmp $ cat hostname.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGSevcDwmT+QaZPUEWUUjTeZRBICChxMKuJ7dRpBSF8+qt+8S1GBK5Zj8Xicc8SHG/SE/EXKUL2UU3kcUzE7ADQ= ssh://user@ssh.hostname.com
Append `hostname.pub` contents to `/home/user/.ssh/authorized_keys`
configuration file at `ssh.hostname.com`, so the remote server
would allow you to login using the corresponding private key signature.
# Usage
Run:
/tmp $ trezor-agent user@ssh.hostname.com -v -c
2015-09-02 15:09:39,782 INFO getting "ssh://user@ssh.hostname.com" public key from Trezor...
2015-09-02 15:09:44,430 INFO please confirm user "roman" login to "ssh://user@ssh.hostname.com" using Trezor...
2015-09-02 15:09:46,152 INFO signature status: OK
Linux lmde 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep 1 15:57:05 2015 from localhost
~ $
Make sure to confirm SSH signature on the Trezor device when requested.
## Accessing remote Git/Mercurial repositories
Use your SSH public key to access your remote repository (e.g. [GitHub](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/)):
$ trezor-agent -v -e ed25519 git@github.com | xclip
Use the following Bash alias for convinient Git operations:
$ alias git_hub='trezor-agent -v -e ed25519 git@github.com -- git'
Replace `git` with `git_hub` for remote operations:
$ git_hub push origin master
The same works for Mercurial (e.g. on [BitBucket](https://confluence.atlassian.com/bitbucket/set-up-ssh-for-mercurial-728138122.html)):
$ trezor-agent -v -e ed25519 git@bitbucket.org -- hg push
# Troubleshooting
If SSH connection fails to work, please open an [issue](https://github.com/romanz/trezor-agent/issues)
with a verbose log attached (by running `trezor-agent -vv`) .
## Incompatible SSH options
Note that your local SSH configuration may ignore `trezor-agent`, if it has `IdentitiesOnly` option set to `yes`.
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files configured in
the ssh_config files, even if ssh-agent(1) or a PKCS11Provider offers more identities.
The argument to this keyword must be “yes” or “no”.
This option is intended for situations where ssh-agent offers many different identities.
The default is “no”.
If you are failing to connect, try running:
$ trezor-agent -vv user@host -- ssh -vv -oIdentitiesOnly=no user@host

22
README.md
View File

@@ -1,25 +1,25 @@
# Using TREZOR as a hardware SSH/GPG agent
# Hardware-based SSH/GPG agent
[![Build Status](https://travis-ci.org/romanz/trezor-agent.svg?branch=master)](https://travis-ci.org/romanz/trezor-agent)
[![Chat](https://badges.gitter.im/romanz/trezor-agent.svg)](https://gitter.im/romanz/trezor-agent)
This project allows you to use various hardware security devices to operate GPG and SSH. Instead of keeping your key on your computer and decrypting it with a passphrase when you want to use it, the key is generated and stored on the device and never reaches your computer. Read more about the design [here](doc/DESIGN.md).
You can do things like sign your emails, git commits, and software packages, manage your passwords (with [pass](https://www.passwordstore.org/) and [gopass](https://www.justwatch.com/gopass/), among others), authenticate web tunnels and file transfers, and more.
See SatoshiLabs' blog posts about this feature:
- [TREZOR Firmware 1.3.4 enables SSH login](https://medium.com/@satoshilabs/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609)
- [TREZOR Firmware 1.3.6GPG Signing, SSH Login Updates and Advanced Transaction Features for Segwit](https://medium.com/@satoshilabs/trezor-firmware-1-3-6-20a7df6e692)
- [TREZOR Firmware 1.4.0GPG decryption support](https://www.reddit.com/r/TREZOR/comments/50h8r9/new_trezor_firmware_fidou2f_and_initial_ethereum/d7420q7/)
## Installation
Currently [TREZOR One](https://trezor.io/), [TREZOR Model T](https://trezor.io/), [Keepkey](https://www.keepkey.com/), and [Ledger Nano S](https://www.ledgerwallet.com/products/ledger-nano-s) are supported.
See the [following instructions](INSTALL.md) for the
[TREZOR](https://trezor.io/), [Keepkey](https://www.keepkey.com/) and
[Ledger Nano S](https://www.ledgerwallet.com/products/ledger-nano-s) devices.
## Documentation
## Usage
* **Installation** instructions are [here](doc/INSTALL.md)
* **SSH** instructions and common use cases are [here](doc/README-SSH.md)
For SSH, see the [following instructions](README-SSH.md) (for Windows support,
see [trezor-ssh-agent](https://github.com/martin-lizner/trezor-ssh-agent) project by Martin Lízner).
Note: If you're using Windows, see [trezor-ssh-agent](https://github.com/martin-lizner/trezor-ssh-agent) by Martin Lízner.
For GPG, see the [following instructions](README-GPG.md).
See [here](https://github.com/romanz/python-trezor#pin-entering) for PIN entering instructions.
* **GPG** instructions and common use cases are [here](doc/README-GPG.md)

4
agents/trezor/setup.py
View File

@@ -3,7 +3,7 @@ from setuptools import setup
setup(
name='trezor_agent',
version='0.9.0',
version='0.9.2',
description='Using Trezor as hardware SSH/GPG agent',
author='Roman Zeyde',
author_email='roman.zeyde@gmail.com',
@@ -11,7 +11,7 @@ setup(
scripts=['trezor_agent.py'],
install_requires=[
'libagent>=0.9.0',
'trezor>=0.7.6'
'trezor>=0.9.0'
],
platforms=['POSIX'],
classifiers=[

51
doc/DESIGN.md Normal file
View File

@@ -0,0 +1,51 @@
# Design
Most cryptographic tools (such as gpg, ssh and openssl) allow the offloading of some key cryptographic steps to *engines* or *agents*. This is to allow sensitive operations, such as asking for a password or doing the actual encryption step, to be kept separate from the larger body of code. This makes it easier to secure those steps, move them onto hardware or easier to audit.
SSH and GPG do this by means of a simple interprocess communication protocol (usually a unix domain socket) and an agent (`ssh-agent`) or GPG key daemon (`gpg-agent`). The `trezor-agent` mimics these two protocols.
These two agents make the connection between the front end (e.g. a `gpg --sign` command, or an `ssh user@fqdn`). And then they wait for a request from the 'front end', and then do the actual asking for a password and subsequent using the private key to sign or decrypt something.
The various hardware wallets (Trezor, KeepKey and Ledger) each have the ability (as of Firmware 1.3.4) to use the NIST P-256 elliptic curve to sign, encrypt or decrypt. This curve can be used with S/MIME, GPG and SSH.
So when you `ssh` to a machine - rather than consult the normal ssh-agent (which in turn will use your private SSH key in files such as `~/.ssh/id_rsa`) -- the trezor-agent will aks your hardware wallet to use its private key to sign the challenge.
## Key Naming
`trezor-agent` goes to great length to avoid using the valuable parent key.
The rationale behind this is that `trezor-agent` is to some extent condemned to *blindly* signing any NONCE given to it (e.g. as part of a challenge respone, or as the hash/hmac of someting to sign).
And doing so with the master private key is risky - as rogue (ssh) server could possibly provide a doctored NONCE that happens to be tied to a transaction or something else.
It therefore uses only derived child keys pairs instead (according to the [BIP-0032: Hierarchical Deterministic Wallets][1] system) - and ones on different leafs. So the parent key is only used within the device for creating the child keys - and not exposed in any way to `trezor-agent`.
### SSH
It is common for SSH users to use one (or a few) private keys with SSH on all servers they log into. The `trezor-agent` is slightly more cautious and derives a child key that is *unique* to the server and username you are logging into from your master private key on the device.
So taking a commmand such as:
$ trezor-agent -c user@fqdn.com
The `trezor-agent` will take the `user`@`fqdn.com`; canonicalise it (e.g. to add the ssh default port number if none was specified) and then apply some simple hashing (See [SLIP-0013 : Authentication using deterministic hierarchy][2]). The resulting 128bit hash is then used to construct a lead 'HD node' that contains an extened public private *child* key.
This way they keypair is specific to the server/hostname/port and protocol combination used. And it is this private key that is used to sign the nonce passed by the SSH server (as opposed to the master key).
The `trezor-agent` then instructs SSH to connect to the server. It will then engage in the normal challenge response process, ask the hardware wallet to blindly sign any nonce flashed by the server with the derived child private key and return this to the server. It then hands over to normal SSH for the rest of the logged in session.
### GPG
GPG uses much the same approach as SSH, expect in this it relies on [SLIP-0017 : ECDH using deterministic hierarchy][3] for the mapping to an ECDH key and it maps these to the normal GPG child key infrastructure.
Note: Keepkey does not support en-/de-cryption at this time.
### Index
The canonicalisation process ([SLIP-0013][2] and [SLIP-0017][3]) of an email address or ssh address allows for the mixing in of an extra 'index' - a unsigned 32 bit number. This allows one to have multiple, different keys, for the same address.
This feature is currently not used -- it is set to '0'. This may change in the future.
[1]: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
[2]: https://github.com/satoshilabs/slips/blob/master/slip-0013.md
[3]: https://github.com/satoshilabs/slips/blob/master/slip-0017.md

119
doc/INSTALL.md Normal file
View File

@@ -0,0 +1,119 @@
# Installation
## 1. Prerequisites
Install the following packages (depending on your distribution):
### OS dependencies
This software needs Python, libusb, and libudev along with development files.
You can install them on these distributions as follows:
##### Debian
$ apt-get install python3-pip python3-dev python3-tk libusb-1.0-0-dev libudev-dev
##### Fedora/RedHat
$ yum install python3-pip python3-devel python3-tk libusb-devel libudev-devel \
gcc redhat-rpm-config
##### OpenSUSE
$ zypper install python-pip python-devel python-tk libusb-1_0-devel libudev-devel
If you are using python3 or your system `pip` command points to `pip3.x`
(`/etc/alternatives/pip -> /usr/bin/pip3.6`) you will need to install these
dependencies instead:
$ zypper install python3-pip python3-devel python3-tk libusb-1_0-devel libudev-devel
### GPG
If you intend to use GPG make sure you have GPG installed and up to date. This software requires a GPG version >= 2.1.11.
You can verify your installed version by running:
```
$ gpg2 --version | head -n1
gpg (GnuPG) 2.1.15
```
* Follow this installation guide for [Debian](https://gist.github.com/vt0r/a2f8c0bcb1400131ff51)
* Install GPG for [macOS](https://sourceforge.net/p/gpgosx/docu/Download/)
* Install packages for Ubuntu 16.04 [here](https://launchpad.net/ubuntu/+source/gnupg2)
* Install packages for Linux Mint 18 [here](https://community.linuxmint.com/software/view/gnupg2)
# 2. Install the TREZOR agent
1. Make sure you are running the latest firmware version on your Trezor:
* [TREZOR firmware releases](https://wallet.trezor.io/data/firmware/releases.json): `1.4.2+`
2. Make sure that your `udev` rules are configured [correctly](https://doc.satoshilabs.com/trezor-user/settingupchromeonlinux.html#manual-configuration-of-udev-rules).
3. Then, install the latest [trezor_agent](https://pypi.python.org/pypi/trezor_agent) package:
```
$ pip3 install trezor_agent
```
Or, directly from the latest source code:
```
$ git clone https://github.com/romanz/trezor-agent
$ pip3 install --user -e trezor-agent/agents/trezor
```
Read [these instructions](https://github.com/romanz/python-trezor#pin-entering) on how to enter your PIN with the PIN entry.
# 3. Install the KeepKey agent
1. Make sure you are running the latest firmware version on your KeepKey:
* [KeepKey firmware releases](https://github.com/keepkey/keepkey-firmware/releases): `3.0.17+`
2. Make sure that your `udev` rules are configured [correctly](https://support.keepkey.com/support/solutions/articles/6000037796-keepkey-wallet-is-not-being-recognized-by-linux).
Then, install the latest [keepkey_agent](https://pypi.python.org/pypi/keepkey_agent) package:
```
$ pip3 install keepkey_agent
```
Or, directly from the latest source code:
```
$ git clone https://github.com/romanz/trezor-agent
$ pip3 install --user -e trezor-agent/agents/keepkey
```
# 4. Install the Ledger Nano S agent
1. Make sure you are running the latest firmware version on your Ledger Nano S:
* [Ledger Nano S firmware releases](https://github.com/LedgerHQ/blue-app-ssh-agent): `0.0.3+` (install [SSH/PGP Agent](https://www.ledgerwallet.com/images/apps/chrome-mngr-apps.png) app)
2. Make sure that your `udev` rules are configured [correctly](https://ledger.zendesk.com/hc/en-us/articles/115005165269-What-if-Ledger-Wallet-is-not-recognized-on-Linux-).
3. Then, install the latest [ledger_agent](https://pypi.python.org/pypi/ledger_agent) package:
```
$ pip3 install ledger_agent
```
Or, directly from the latest source code:
```
$ git clone https://github.com/romanz/trezor-agent
$ pip3 install --user -e trezor-agent/agents/ledger
```
# 5. Installation Troubleshooting
If there is an import problem with the installed `protobuf` package,
see [this issue](https://github.com/romanz/trezor-agent/issues/28) for fixing it.
If you can't find the command-line utilities (after running `pip install --user`),
please make sure that `~/.local/bin` is on your `PATH` variable
(see a [relevant](https://github.com/pypa/pip/issues/3813) issue).
If you can't find command-line utilities and are on macOS/OSX check `~/Library/Python/2.7/bin` and add to `PATH` if necessary (see a [relevant](https://github.com/romanz/trezor-agent/issues/155) issue).

183
doc/README-GPG.md Normal file
View File

@@ -0,0 +1,183 @@
# GPG Agent
Note: the GPG-related code is still under development, so please try the current implementation
and please let me [know](https://github.com/romanz/trezor-agent/issues/new) if something doesn't
work well for you. If possible:
* record the session (e.g. using [asciinema](https://asciinema.org))
* attach the GPG agent log from `~/.gnupg/{trezor,ledger}/gpg-agent.log` (can be [encrypted](https://keybase.io/romanz))
Thanks!
## 1. Configuration
1. Initialize the agent GPG directory.
[![asciicast](https://asciinema.org/a/3iNw2L9QWB8R3EVdYdAxMOLK8.png)](https://asciinema.org/a/3iNw2L9QWB8R3EVdYdAxMOLK8)
Run
```
$ (trezor|keepkey|ledger)-gpg init "Roman Zeyde <roman.zeyde@gmail.com>"
```
Follow the instructions provided to complete the setup. Keep note of the timestamp value which you'll need if you want to regenerate the key later.
2. Add `export GNUPGHOME=~/.gnupg/(trezor|keepkey|ledger)` to your `.bashrc` or other environment file.
This `GNUPGHOME` contains your hardware keyring and agent settings. This agent software assumes all keys are backed by hardware devices so you can't use standard GPG keys in `GNUPGHOME` (if you do mix keys you'll receive an error when you attempt to use them).
If you wish to switch back to your software keys unset `GNUPGHOME`.
3. Log out and back into your session to ensure your environment is updated everywhere.
## 2. Usage
You can use any GPG commands or software that uses GPG as usual and will be prompted to interact with your hardware device as necessary. The agent is automatically started if it isn't running when you run any `gpg` command.
##### Restarting the agent
If you change settings or need to restart the agent for some other reason, simply kill it. It will restart the next time GPG is invoked.
## 3. Common Use Cases
### Sign and decrypt files
[![asciicast](https://asciinema.org/a/120441.png)](https://asciinema.org/a/120441)
### Inspect GPG keys
You can use GNU Privacy Assistant (GPA) in order to inspect the created keys and perform signature and decryption operations as usual:
```
$ sudo apt install gpa
$ gpa
```
[![GPA](https://cloud.githubusercontent.com/assets/9900/20224804/053d7474-a849-11e6-87f3-ab07dc536158.png)](https://www.gnupg.org/related_software/swlist.html#gpa)
### Sign Git commits and tags
Git can use GPG to sign and verify commits and tags (see [here](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work)):
```
$ git config --local commit.gpgsign 1
$ git config --local gpg.program $(which gpg2)
$ git commit --gpg-sign # create GPG-signed commit
$ git log --show-signature -1 # verify commit signature
$ git tag v1.2.3 --sign # create GPG-signed tag
$ git tag v1.2.3 --verify # verify tag signature
```
### Manage passwords
Password managers such as [pass](https://www.passwordstore.org/) and [gopass](https://www.justwatch.com/gopass/) rely on GPG for encryption so you can use your device with them too.
##### With `pass`:
First install `pass` from [passwordstore.org] and initialize it to use your TREZOR-based GPG identity:
```
$ pass init "Roman Zeyde <roman.zeyde@gmail.com>"
Password store initialized for Roman Zeyde <roman.zeyde@gmail.com>
```
Then, you can generate truly random passwords and save them encrypted using your public key (as separate `.gpg` files under `~/.password-store/`):
```
$ pass generate Dev/github 32
$ pass generate Social/hackernews 32
$ pass generate Social/twitter 32
$ pass generate VPS/linode 32
$ pass
Password Store
├── Dev
│   └── github
├── Social
│   ├── hackernews
│   └── twitter
└── VPS
└── linode
```
In order to paste them into the browser, you'd need to decrypt the password using your hardware device:
```
$ pass --clip VPS/linode
Copied VPS/linode to clipboard. Will clear in 45 seconds.
```
You can also use the following [Qt-based UI](https://qtpass.org/) for `pass`:
```
$ sudo apt install qtpass
```
### Re-generate a GPG identity
[![asciicast](https://asciinema.org/a/5tIQa5qt5bV134oeOqFyKEU29.png)](https://asciinema.org/a/5tIQa5qt5bV134oeOqFyKEU29)
If you've forgotten the timestamp value, but still have access to the public key, then you can
retrieve the timestamp with the following command (substitute "john@doe.bit" for the key's address or id):
```
$ gpg2 --export 'john@doe.bit' | gpg2 --list-packets | grep created | head -n1
```
### Add new UIDs to your identity
After your main identity is created, you can add new user IDs using the regular GnuPG commands:
```
$ trezor-gpg init "Foobar" -vv
$ export GNUPGHOME=${HOME}/.gnupg/trezor
$ gpg2 -K
------------------------------------------
sec nistp256/6275E7DA 2017-12-05 [SC]
uid [ultimate] Foobar
ssb nistp256/35F58F26 2017-12-05 [E]
$ gpg2 --edit Foobar
gpg> adduid
Real name: Xyzzy
Email address:
Comment:
You selected this USER-ID:
"Xyzzy"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg> save
$ gpg2 -K
------------------------------------------
sec nistp256/6275E7DA 2017-12-05 [SC]
uid [ultimate] Xyzzy
uid [ultimate] Foobar
ssb nistp256/35F58F26 2017-12-05 [E]
```
### Generate GnuPG subkeys
In order to add TREZOR-based subkey to an existing GnuPG identity, use the `--subkey` flag:
```
$ gpg2 -k foobar
pub rsa2048/90C4064B 2017-10-10 [SC]
uid [ultimate] foobar
sub rsa2048/4DD05FF0 2017-10-10 [E]
$ trezor-gpg init "foobar" --subkey
```
[![asciicast](https://asciinema.org/a/Ick5G724zrZRFsGY7ZUdFSnV1.png)](https://asciinema.org/a/Ick5G724zrZRFsGY7ZUdFSnV1)
In order to enter existing GPG passphrase, I recommend installing and using a graphical Pinentry:
```
$ sudo apt install pinentry-gnome3
$ sudo update-alternatives --config pinentry
There are 4 choices for the alternative pinentry (providing /usr/bin/pinentry).
Selection Path Priority Status
------------------------------------------------------------
* 0 /usr/bin/pinentry-gnome3 90 auto mode
1 /usr/bin/pinentry-curses 50 manual mode
2 /usr/bin/pinentry-gnome3 90 manual mode
3 /usr/bin/pinentry-qt 80 manual mode
4 /usr/bin/pinentry-tty 30 manual mode
Press <enter> to keep the current choice[*], or type selection number: 0
```
### Sign and decrypt email
Follow [these instructions](enigmail.md) to set up Enigmail in Thunderbird.

171
doc/README-SSH.md Normal file
View File

@@ -0,0 +1,171 @@
# SSH Agent
## 1. Configuration
SSH requires no configuration, but you may put common command line options in `~/.ssh/agent.conf` to avoid repeating them in every invocation.
See `(trezor|keepkey|ledger)-agent -h` for details on supported options and the configuration file format.
## 2. Usage
Use the `(trezor|keepkey|ledger)-agent` program to work with SSH. It has three main modes of operation:
##### 1. Export public keys
To get your public key so you can add it to `authorized_hosts` or allow
ssh access to a service that supports it, run:
```
(trezor|keepkey|ledger)-agent identity@myhost
```
The identity (ex: `identity@myhost`) is used to derive the public key and is added as a comment to the exported key string.
##### 2. Run a command with the agent's environment
Run
```
$ (trezor|keepkey|ledger)-agent identity@myhost -- COMMAND --WITH --ARGUMENTS
```
to start the agent in the background and execute the command with environment variables set up to use the SSH agent. The specified identity is used for all SSH connections. The agent will exit after the command completes.
As a shortcut you can run
```
$ (trezor|keepkey|ledger)-agent identity@myhost -s
```
to start a shell with the proper environment.
##### 2. Connect to a server directly via `(trezor|keepkey|ledger)-agent`
If you just want to connect to a server this is the simplest way to do it:
```
$ (trezor|keepkey|ledger)-agent user@remotehost -c
```
The identity `user@remotehost` is used as both the destination user and host as well as for key derivation, so you must generate a separate key for each host you connect to.
## 3. Common Use Cases
### Start a single SSH session
[![Demo](https://asciinema.org/a/22959.png)](https://asciinema.org/a/22959)
### Start multiple SSH sessions from a sub-shell
This feature allows using regular SSH-related commands within a subprocess running user's shell.
`SSH_AUTH_SOCK` environment variable is defined for the subprocess (pointing to the SSH agent, running as a parent process).
This way the user can use SSH-related commands (e.g. `ssh`, `ssh-add`, `sshfs`, `git`, `hg`), while authenticating via the hardware device.
[![Subshell](https://asciinema.org/a/33240.png)](https://asciinema.org/a/33240)
### Load different SSH identities from configuration file
[![Config](https://asciinema.org/a/bdxxtgctk5syu56yfz8lcp7ny.png)](https://asciinema.org/a/bdxxtgctk5syu56yfz8lcp7ny)
### Implement passwordless login
Run:
/tmp $ trezor-agent user@ssh.hostname.com -v > hostname.pub
2015-09-02 15:03:18,929 INFO getting "ssh://user@ssh.hostname.com" public key from Trezor...
2015-09-02 15:03:23,342 INFO disconnected from Trezor
/tmp $ cat hostname.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGSevcDwmT+QaZPUEWUUjTeZRBICChxMKuJ7dRpBSF8+qt+8S1GBK5Zj8Xicc8SHG/SE/EXKUL2UU3kcUzE7ADQ= ssh://user@ssh.hostname.com
Append `hostname.pub` contents to `/home/user/.ssh/authorized_keys`
configuration file at `ssh.hostname.com`, so the remote server
would allow you to login using the corresponding private key signature.
### Access remote Git/Mercurial repositories
Copy your public key and register it in your repository web interface (e.g. [GitHub](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/)):
$ trezor-agent -v -e ed25519 git@github.com | xclip
Use the following Bash alias for convenient Git operations:
$ alias git_hub='trezor-agent -v -e ed25519 git@github.com -- git'
Replace `git` with `git_hub` for remote operations:
$ git_hub push origin master
The same works for Mercurial (e.g. on [BitBucket](https://confluence.atlassian.com/bitbucket/set-up-ssh-for-mercurial-728138122.html)):
$ trezor-agent -v -e ed25519 git@bitbucket.org -- hg push
### Start the agent as a systemd unit
##### 1. Create these files in `~/.config/systemd/user`
Replace `trezor` with `keepkey` or `ledger` as required.
###### `trezor-ssh-agent.service`
````
[Unit]
Description=trezor-agent SSH agent
Requires=trezor-ssh-agent.socket
[Service]
Type=Simple
ExecStart=/usr/bin/trezor-agent --foreground --sock-path %t/trezor-agent/S.ssh IDENTITY
````
Replace `IDENTITY` with the identity you used when exporting the public key.
###### `trezor-ssh-agent.socket`
````
[Unit]
Description=trezor-agent SSH agent socket
[Socket]
ListenStream=%t/trezor-agent/S.ssh
FileDescriptorName=ssh
Service=trezor-ssh-agent.service
SocketMode=0600
DirectoryMode=0700
[Install]
WantedBy=sockets.target
````
##### 2. Run
```
systemctl --user start trezor-ssh-agent.service trezor-ssh-agent.socket
systemctl --user enable trezor-ssh-agent.socket
```
##### 3. Add this line to your `.bashrc` or equivalent file:
```bash
export SSH_AUTH_SOCK=$(systemctl show --user --property=Listen trezor-ssh-agent.socket | grep -o "/run.*")
```
##### 4. SSH will now automatically use your device key in all terminals.
## 4. Troubleshooting
If SSH connection fails to work, please open an [issue](https://github.com/romanz/trezor-agent/issues)
with a verbose log attached (by running `trezor-agent -vv`) .
##### Incompatible SSH options
Note that your local SSH configuration may ignore `trezor-agent`, if it has `IdentitiesOnly` option set to `yes`.
IdentitiesOnly
Specifies that ssh(1) should only use the authentication identity files configured in
the ssh_config files, even if ssh-agent(1) or a PKCS11Provider offers more identities.
The argument to this keyword must be “yes” or “no”.
This option is intended for situations where ssh-agent offers many different identities.
The default is “no”.
If you are failing to connect, try running:
$ trezor-agent -vv user@host -- ssh -vv -oIdentitiesOnly=no user@host

26
doc/enigmail.md Normal file
View File

@@ -0,0 +1,26 @@
# Tutorial
First, install [Thunderbird](https://www.mozilla.org/en-US/thunderbird/) and
the [Enigmail](https://www.enigmail.net/index.php/en/) add-on.
Make sure to use the correct GNUPGHOME path before starting Thunderbird:
```bash
$ export GNUPGHOME=${HOME}/.gnupg/trezor
$ thunderbird
```
Run the Enigmail's setup wizard and choose your GPG identity:
![01](https://user-images.githubusercontent.com/9900/31327339-47a5f69a-acd7-11e7-997c-7b5a286fe5bc.png)
![02](https://user-images.githubusercontent.com/9900/31327344-51dcd246-acd7-11e7-8cdc-dd305a512dbb.png)
![03](https://user-images.githubusercontent.com/9900/31327346-546862a0-acd7-11e7-8e00-b40994bd6f17.png)
Then, you can compose encrypted (and signed) messages using the regular UI:
NOTES:
- The email's title is **public** - only the body is encrypted.
- You will be asked to confirm the signature using the hardware device before sending the email.
![04](https://user-images.githubusercontent.com/9900/31327356-660d098e-acd7-11e7-9e43-762898f5b57e.png)
![05](https://user-images.githubusercontent.com/9900/31327365-76679dda-acd7-11e7-9403-6965f0c6d8fe.png)
After receiving the email, you will be asked to confirm the decryption the hardware device:
![06](https://user-images.githubusercontent.com/9900/31327371-7c1da4cc-acd7-11e7-9a5a-20accf621b49.png)

5
libagent/device/fake_device.py
View File

@@ -21,6 +21,11 @@ def _verify_support(identity):
class FakeDevice(interface.Device):
"""Connection to TREZOR device."""
@classmethod
def package_name(cls):
"""Python package name."""
return 'fake-device-agent'
def connect(self):
"""Return "dummy" connection."""
log.critical('NEVER USE THIS CODE FOR REAL-LIFE USE-CASES!!!')

5
libagent/device/keepkey.py
View File

@@ -20,6 +20,11 @@ def _verify_support(identity, ecdh):
class KeepKey(trezor.Trezor):
"""Connection to KeepKey device."""
@classmethod
def package_name(cls):
"""Python package name (at PyPI)."""
return 'keepkey-agent'
@property
def _defs(self):
from . import keepkey_defs

9
libagent/device/keepkey_defs.py
View File

@@ -2,8 +2,13 @@
# pylint: disable=unused-import,import-error
from keepkeylib.client import CallException as Error
from keepkeylib.client import CallException, PinException
from keepkeylib.client import KeepKeyClient as Client
from keepkeylib.messages_pb2 import PassphraseAck, PinMatrixAck
from keepkeylib.transport_hid import HidTransport as Transport
from keepkeylib.transport_hid import HidTransport
from keepkeylib.types_pb2 import IdentityType
def enumerate_transports():
"""Returns USB HID transports."""
return [HidTransport(p) for p in HidTransport.enumerate()]

15
libagent/device/ledger.py
View File

@@ -36,6 +36,11 @@ def _convert_public_key(ecdsa_curve_name, result):
class LedgerNanoS(interface.Device):
"""Connection to Ledger Nano S device."""
@classmethod
def package_name(cls):
"""Python package name (at PyPI)."""
return 'ledger-agent'
def connect(self):
"""Enumerate and connect to the first USB HID interface."""
try:
@@ -56,8 +61,10 @@ class LedgerNanoS(interface.Device):
apdu = binascii.unhexlify(apdu)
apdu += bytearray([len(path) + 1, len(path) // 4])
apdu += path
result = bytearray(self.conn.exchange(bytes(apdu)))[1:]
return _convert_public_key(curve_name, result)
log.debug('apdu: %r', apdu)
result = bytearray(self.conn.exchange(bytes(apdu)))
log.debug('result: %r', result)
return _convert_public_key(curve_name, result[1:])
def sign(self, identity, blob):
"""Sign given blob and return the signature (as bytes)."""
@@ -77,7 +84,9 @@ class LedgerNanoS(interface.Device):
apdu += bytearray([len(blob) + len(path) + 1])
apdu += bytearray([len(path) // 4]) + path
apdu += blob
log.debug('apdu: %r', apdu)
result = bytearray(self.conn.exchange(bytes(apdu)))
log.debug('result: %r', result)
if identity.curve_name == 'nist256p1':
offset = 3
length = result[offset]
@@ -106,6 +115,8 @@ class LedgerNanoS(interface.Device):
apdu += bytearray([len(pubkey) + len(path) + 1])
apdu += bytearray([len(path) // 4]) + path
apdu += pubkey
log.debug('apdu: %r', apdu)
result = bytearray(self.conn.exchange(bytes(apdu)))
log.debug('result: %r', result)
assert result[0] == 0x04
return bytes(result)

181
libagent/device/trezor.py
View File

@@ -3,8 +3,10 @@
import binascii
import logging
import os
import subprocess
import sys
import mnemonic
import semver
from . import interface
@@ -12,74 +14,129 @@ from . import interface
log = logging.getLogger(__name__)
def _message_box(label, sp=subprocess):
"""Launch an external process for PIN/passphrase entry GUI."""
args = [sys.executable, '-m', 'libagent.device.ui.simple']
p = sp.Popen(args=args, stdin=sp.PIPE, stdout=sp.PIPE, stderr=sp.PIPE)
out, err = p.communicate(label.encode('ascii'))
exitcode = p.wait()
if exitcode != 0:
log.error('UI failed: %r', err)
raise sp.CalledProcessError(exitcode, args)
return out.decode('ascii')
def _is_open_tty(stream):
return not stream.closed and os.isatty(stream.fileno())
class Trezor(interface.Device):
"""Connection to TREZOR device."""
@classmethod
def package_name(cls):
"""Python package name (at PyPI)."""
return 'trezor-agent'
@property
def _defs(self):
from . import trezor_defs
# Allow using TREZOR bridge transport (instead of the HID default)
trezor_defs.Transport = {
'bridge': trezor_defs.BridgeTransport,
}.get(os.environ.get('TREZOR_TRANSPORT'), trezor_defs.HidTransport)
return trezor_defs
required_version = '>=1.4.0'
passphrase = os.environ.get('TREZOR_PASSPHRASE', '')
def _override_pin_handler(self, conn):
cli_handler = conn.callback_PinMatrixRequest
def new_handler(msg):
try:
if _is_open_tty(sys.stdin):
result = cli_handler(msg) # CLI-based PIN handler
else:
scrambled_pin = _message_box(
'Use the numeric keypad to describe number positions.\n'
'The layout is:\n'
' 7 8 9\n'
' 4 5 6\n'
' 1 2 3\n'
'Please enter PIN:')
result = self._defs.PinMatrixAck(pin=scrambled_pin)
if not set(result.pin).issubset('123456789'):
raise self._defs.PinException(
None, 'Invalid scrambled PIN: {!r}'.format(result.pin))
return result
except: # noqa
conn.init_device()
raise
conn.callback_PinMatrixRequest = new_handler
cached_passphrase_ack = None
def _override_passphrase_handler(self, conn):
cli_handler = conn.callback_PassphraseRequest
def new_handler(msg):
try:
if self.__class__.cached_passphrase_ack:
log.debug('re-using cached %s passphrase', self)
return self.__class__.cached_passphrase_ack
if _is_open_tty(sys.stdin):
# use CLI-based PIN handler
ack = cli_handler(msg)
else:
passphrase = _message_box('Please enter passphrase:')
passphrase = mnemonic.Mnemonic.normalize_string(passphrase)
ack = self._defs.PassphraseAck(passphrase=passphrase)
self.__class__.cached_passphrase_ack = ack
return ack
except: # noqa
conn.init_device()
raise
conn.callback_PassphraseRequest = new_handler
def _verify_version(self, connection):
f = connection.features
log.debug('connected to %s %s', self, f.device_id)
log.debug('label : %s', f.label)
log.debug('vendor : %s', f.vendor)
current_version = '{}.{}.{}'.format(f.major_version,
f.minor_version,
f.patch_version)
log.debug('version : %s', current_version)
log.debug('revision : %s', binascii.hexlify(f.revision))
if not semver.match(current_version, self.required_version):
fmt = ('Please upgrade your {} firmware to {} version'
' (current: {})')
raise ValueError(fmt.format(self, self.required_version,
current_version))
def connect(self):
"""Enumerate and connect to the first USB HID interface."""
def passphrase_handler(_):
log.debug('using %s passphrase for %s',
'non-empty' if self.passphrase else 'empty', self)
return self._defs.PassphraseAck(passphrase=self.passphrase)
"""Enumerate and connect to the first available interface."""
transports = self._defs.enumerate_transports()
if not transports:
raise interface.NotFoundError('{} not connected'.format(self))
def create_pin_handler(conn):
if not sys.stdin.closed and os.isatty(sys.stdin.fileno()):
return conn.callback_PinMatrixRequest # CLI-based PIN handler
log.debug('transports: %s', transports)
for _ in range(5):
connection = self._defs.Client(transports[0])
self._override_pin_handler(connection)
self._override_passphrase_handler(connection)
self._verify_version(connection)
def qt_handler(_):
# pylint: disable=import-error
from PyQt5.QtWidgets import QApplication, QInputDialog, QLineEdit
label = ('Use the numeric keypad to describe number positions.\n'
'The layout is:\n'
' 7 8 9\n'
' 4 5 6\n'
' 1 2 3\n'
'Please enter PIN:')
app = QApplication([])
qd = QInputDialog()
qd.setTextEchoMode(QLineEdit.Password)
qd.setLabelText(label)
qd.show()
app.exec_()
return self._defs.PinMatrixAck(pin=qd.textValue())
return qt_handler
for d in self._defs.Transport.enumerate():
log.debug('endpoint: %s', d)
transport = self._defs.Transport(d)
connection = self._defs.Client(transport)
connection.callback_PassphraseRequest = passphrase_handler
connection.callback_PinMatrixRequest = create_pin_handler(connection)
f = connection.features
log.debug('connected to %s %s', self, f.device_id)
log.debug('label : %s', f.label)
log.debug('vendor : %s', f.vendor)
current_version = '{}.{}.{}'.format(f.major_version,
f.minor_version,
f.patch_version)
log.debug('version : %s', current_version)
log.debug('revision : %s', binascii.hexlify(f.revision))
if not semver.match(current_version, self.required_version):
fmt = ('Please upgrade your {} firmware to {} version'
' (current: {})')
raise ValueError(fmt.format(self, self.required_version,
current_version))
connection.ping(msg='', pin_protection=True) # unlock PIN
return connection
raise interface.NotFoundError('{} not connected'.format(self))
try:
connection.ping(msg='', pin_protection=True) # unlock PIN
return connection
except (self._defs.PinException, ValueError) as e:
log.error('Invalid PIN: %s, retrying...', e)
continue
except Exception as e:
log.exception('ping failed: %s', e)
connection.close() # so the next HID open() will succeed
raise
def close(self):
"""Close connection."""
@@ -91,10 +148,10 @@ class Trezor(interface.Device):
log.debug('"%s" getting public key (%s) from %s',
identity.to_string(), curve_name, self)
addr = identity.get_bip32_address(ecdh=ecdh)
result = self.conn.get_public_node(n=addr,
ecdsa_curve_name=curve_name)
result = self.conn.get_public_node(
n=addr, ecdsa_curve_name=curve_name)
log.debug('result: %s', result)
return result.node.public_key
return bytes(result.node.public_key)
def _identity_proto(self, identity):
result = self._defs.IdentityType()
@@ -116,8 +173,8 @@ class Trezor(interface.Device):
log.debug('result: %s', result)
assert len(result.signature) == 65
assert result.signature[:1] == b'\x00'
return result.signature[1:]
except self._defs.Error as e:
return bytes(result.signature[1:])
except self._defs.CallException as e:
msg = '{} error: {}'.format(self, e)
log.debug(msg, exc_info=True)
raise interface.DeviceError(msg)
@@ -135,8 +192,8 @@ class Trezor(interface.Device):
log.debug('result: %s', result)
assert len(result.session_key) in {65, 33} # NIST256 or Curve25519
assert result.session_key[:1] == b'\x04'
return result.session_key
except self._defs.Error as e:
return bytes(result.session_key)
except self._defs.CallException as e:
msg = '{} error: {}'.format(self, e)
log.debug(msg, exc_info=True)
raise interface.DeviceError(msg)

13
libagent/device/trezor_defs.py
View File

@@ -2,9 +2,12 @@
# pylint: disable=unused-import,import-error
from trezorlib.client import CallException as Error
from trezorlib.client import CallException, PinException
from trezorlib.client import TrezorClient as Client
from trezorlib.messages_pb2 import PassphraseAck, PinMatrixAck
from trezorlib.transport_bridge import BridgeTransport
from trezorlib.transport_hid import HidTransport
from trezorlib.types_pb2 import IdentityType
from trezorlib.messages import IdentityType, PassphraseAck, PinMatrixAck
from trezorlib.device import TrezorDevice
def enumerate_transports():
"""Returns all available transports."""
return TrezorDevice.enumerate()

1
libagent/device/ui/__init__.py Normal file
View File

@@ -0,0 +1 @@
"""UIs for PIN/passphrase entry."""

6
libagent/device/ui/simple.py Normal file
View File

@@ -0,0 +1,6 @@
"""Simple, cross-platform UI for entering a PIN/passhprase."""
import sys
import pymsgbox
sys.stdout.write(pymsgbox.password(sys.stdin.read()))

4
libagent/formats.py
View File

@@ -102,6 +102,8 @@ def _decompress_ed25519(pubkey):
if pubkey[:1] == b'\x00':
# set by Trezor fsm_msgSignIdentity() and fsm_msgGetPublicKey()
return ed25519.VerifyingKey(pubkey[1:])
else:
return None
def _decompress_nist256(pubkey):
@@ -126,6 +128,8 @@ def _decompress_nist256(pubkey):
point = ecdsa.ellipticcurve.Point(curve.curve, x, y)
return ecdsa.VerifyingKey.from_public_point(point, curve=curve,
hashfunc=hashfunc)
else:
return None
def decompress_pubkey(pubkey, curve_name):

172
libagent/gpg/__init__.py
View File

@@ -13,11 +13,15 @@ import contextlib
import functools
import logging
import os
import re
import subprocess
import sys
import time
import pkg_resources
import semver
from . import agent, client, encode, keyring, protocol
from .. import device, formats, server, util
@@ -73,23 +77,121 @@ def export_public_key(device_type, args):
subkey=subkey,
signer_func=signer_func)
sys.stdout.write(protocol.armor(result, 'PUBLIC KEY BLOCK'))
return protocol.armor(result, 'PUBLIC KEY BLOCK')
def run_create(device_type, args):
"""Export public GPG key."""
def verify_gpg_version():
"""Make sure that the installed GnuPG is not too old."""
existing_gpg = keyring.gpg_version().decode('ascii')
required_gpg = '>=2.1.11'
msg = 'Existing GnuPG has version "{}" ({} required)'.format(existing_gpg,
required_gpg)
assert semver.match(existing_gpg, required_gpg), msg
def check_output(args):
"""Runs command and returns the output as string."""
log.debug('run: %s', args)
out = subprocess.check_output(args=args).decode('utf-8')
log.debug('out: %r', out)
return out
def check_call(args, stdin=None, env=None):
"""Runs command and verifies its success."""
log.debug('run: %s%s', args, ' {}'.format(env) if env else '')
subprocess.check_call(args=args, stdin=stdin, env=env)
def write_file(path, data):
"""Writes data to specified path."""
with open(path, 'w') as f:
log.debug('setting %s contents:\n%s', path, data)
f.write(data)
return f
def run_init(device_type, args):
"""Initialize hardware-based GnuPG identity."""
util.setup_logging(verbosity=args.verbose)
log.warning('This GPG tool is still in EXPERIMENTAL mode, '
'so please note that the API and features may '
'change without backwards compatibility!')
existing_gpg = keyring.gpg_version().decode('ascii')
required_gpg = '>=2.1.11'
if semver.match(existing_gpg, required_gpg):
export_public_key(device_type, args)
else:
log.error('Existing gpg2 has version "%s" (%s required)',
existing_gpg, required_gpg)
verify_gpg_version()
# Prepare new GPG home directory for hardware-based identity
device_name = os.path.basename(sys.argv[0]).rsplit('-', 1)[0]
log.info('device name: %s', device_name)
homedir = os.path.expanduser('~/.gnupg/{}'.format(device_name))
log.info('GPG home directory: %s', homedir)
if os.path.exists(homedir):
log.error('GPG home directory %s exists, '
'remove it manually if required', homedir)
sys.exit(1)
check_call(['mkdir', '-p', homedir])
check_call(['chmod', '700', homedir])
agent_path = util.which('{}-gpg-agent'.format(device_name))
# Prepare GPG agent invocation script (to pass the PATH from environment).
with open(os.path.join(homedir, 'run-agent.sh'), 'w') as f:
f.write("""#!/bin/sh
export PATH={0}
{1} $*
""".format(os.environ['PATH'], agent_path))
check_call(['chmod', '700', f.name])
run_agent_script = f.name
# Prepare GPG configuration file
with open(os.path.join(homedir, 'gpg.conf'), 'w') as f:
f.write("""# Hardware-based GPG configuration
agent-program {0}
personal-digest-preferences SHA512
default-key \"{1}\"
""".format(run_agent_script, args.user_id))
# Prepare GPG agent configuration file
with open(os.path.join(homedir, 'gpg-agent.conf'), 'w') as f:
f.write("""# Hardware-based GPG agent emulator
log-file {0}/gpg-agent.log
verbosity 2
""".format(homedir))
# Prepare a helper script for setting up the new identity
with open(os.path.join(homedir, 'env'), 'w') as f:
f.write("""#!/bin/bash
set -eu
export GNUPGHOME={0}
COMMAND=$*
if [ -z "${{COMMAND}}" ]
then
${{SHELL}}
else
${{COMMAND}}
fi
""".format(homedir))
check_call(['chmod', '700', f.name])
# Generate new GPG identity and import into GPG keyring
pubkey = write_file(os.path.join(homedir, 'pubkey.asc'),
export_public_key(device_type, args))
gpg_binary = keyring.get_gnupg_binary()
check_call([gpg_binary, '--homedir', homedir, '--quiet',
'--import', pubkey.name])
# Make new GPG identity with "ultimate" trust (via its fingerprint)
out = check_output([gpg_binary, '--homedir', homedir, '--list-public-keys',
'--with-fingerprint', '--with-colons'])
fpr = re.findall('fpr:::::::::([0-9A-F]+):', out)[0]
f = write_file(os.path.join(homedir, 'ownertrust.txt'), fpr + ':6\n')
check_call([gpg_binary, '--homedir', homedir,
'--import-ownertrust', f.name])
# Load agent and make sure it responds with the new identity
check_call([gpg_binary, '--list-secret-keys'], env={'GNUPGHOME': homedir})
def run_unlock(device_type, args):
@@ -114,34 +216,52 @@ def run_agent(device_type):
util.setup_logging(verbosity=int(config['verbosity']),
filename=config['log-file'])
sock_path = keyring.get_agent_sock_path()
handler = agent.Handler(device=device_type())
with server.unix_domain_socket_server(sock_path) as sock:
for conn in agent.yield_connections(sock):
with contextlib.closing(conn):
try:
handler.handle(conn)
except agent.AgentStop:
log.info('stopping gpg-agent')
return
except Exception as e: # pylint: disable=broad-except
log.exception('gpg-agent failed: %s', e)
log.debug('sys.argv: %s', sys.argv)
log.debug('os.environ: %s', os.environ)
log.debug('pid: %d, parent pid: %d', os.getpid(), os.getppid())
try:
env = {'GNUPGHOME': args.homedir}
sock_path = keyring.get_agent_sock_path(env=env)
pubkey_bytes = keyring.export_public_keys(env=env)
handler = agent.Handler(device=device_type(), pubkey_bytes=pubkey_bytes)
with server.unix_domain_socket_server(sock_path) as sock:
for conn in agent.yield_connections(sock):
with contextlib.closing(conn):
try:
handler.handle(conn)
except agent.AgentStop:
log.info('stopping gpg-agent')
return
except Exception as e: # pylint: disable=broad-except
log.exception('handler failed: %s', e)
except Exception as e: # pylint: disable=broad-except
log.exception('gpg-agent failed: %s', e)
def main(device_type):
"""Parse command-line arguments."""
parser = argparse.ArgumentParser()
subparsers = parser.add_subparsers()
p = subparsers.add_parser('create', help='Export public GPG key')
agent_package = device_type.package_name()
resources_map = {r.key: r for r in pkg_resources.require(agent_package)}
resources = [resources_map[agent_package], resources_map['libagent']]
versions = '\n'.join('{}={}'.format(r.key, r.version) for r in resources)
parser.add_argument('--version', help='print the version info',
action='version', version=versions)
subparsers = parser.add_subparsers(title='Action', dest='action')
subparsers.required = True
p = subparsers.add_parser('init',
help='initialize hardware-based GnuPG identity')
p.add_argument('user_id')
p.add_argument('-e', '--ecdsa-curve', default='nist256p1')
p.add_argument('-t', '--time', type=int, default=int(time.time()))
p.add_argument('-v', '--verbose', default=0, action='count')
p.add_argument('-s', '--subkey', default=False, action='store_true')
p.set_defaults(func=run_create)
p.set_defaults(func=run_init)
p = subparsers.add_parser('unlock', help='Unlock the hardware device')
p = subparsers.add_parser('unlock', help='unlock the hardware device')
p.add_argument('-v', '--verbose', default=0, action='count')
p.set_defaults(func=run_unlock)

42
libagent/gpg/agent.py
View File

@@ -57,6 +57,18 @@ def parse_ecdh(line):
return dict(items)[b'e']
def _key_info(conn, args):
"""
Dummy reply (mainly for 'gpg --edit' to succeed).
For details, see GnuPG agent KEYINFO command help.
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/command.c;h=c8b34e9882076b1b724346787781f657cac75499;hb=refs/heads/master#l1082
"""
fmt = 'S KEYINFO {0} X - - - - - - -'
keygrip, = args
keyring.sendline(conn, fmt.format(keygrip).encode('ascii'))
class AgentError(Exception):
"""GnuPG agent-related error."""
@@ -68,7 +80,7 @@ class AgentStop(Exception):
class Handler(object):
"""GPG agent requests' handler."""
def __init__(self, device):
def __init__(self, device, pubkey_bytes):
"""C-tor."""
self.client = client.Client(device=device)
# Cache ASSUAN commands' arguments between commands
@@ -76,7 +88,7 @@ class Handler(object):
self.digest = None
self.algo = None
# Cache public keys from GnuPG
self.pubkey_bytes = keyring.export_public_keys()
self.pubkey_bytes = pubkey_bytes
# "Clone" existing GPG version
self.version = keyring.gpg_version()
@@ -84,6 +96,7 @@ class Handler(object):
b'RESET': None,
b'OPTION': None,
b'SETKEYDESC': None,
b'NOP': None,
b'GETINFO': lambda conn, _: keyring.sendline(conn, b'D ' + self.version),
b'AGENT_ID': lambda conn, _: keyring.sendline(conn, b'D TREZOR'), # "Fake" agent ID
b'SIGKEY': lambda _, args: self.set_key(*args),
@@ -92,7 +105,7 @@ class Handler(object):
b'PKSIGN': lambda conn, _: self.pksign(conn),
b'PKDECRYPT': lambda conn, _: self.pkdecrypt(conn),
b'HAVEKEY': lambda _, args: self.have_key(*args),
b'KEYINFO': lambda conn, _: self.key_info(conn),
b'KEYINFO': _key_info,
b'SCD': self.handle_scd,
}
@@ -154,23 +167,16 @@ class Handler(object):
@util.memoize
def have_key(self, *keygrips):
"""Check if current keygrip correspond to a TREZOR-based key."""
try:
self.get_identity(keygrip=keygrips[0])
except KeyError as e:
log.warning('HAVEKEY(%s) failed: %s', keygrips, e)
"""Check if any keygrip corresponds to a TREZOR-based key."""
for keygrip in keygrips:
try:
self.get_identity(keygrip=keygrip)
break
except KeyError as e:
log.warning('HAVEKEY(%s) failed: %s', keygrip, e)
else:
raise AgentError(b'ERR 67108881 No secret key <GPG Agent>')
def key_info(self, conn):
"""
Dummy reply (mainly for 'gpg --edit' to succeed).
For details, see GnuPG agent KEYINFO command help.
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=agent/command.c;h=c8b34e9882076b1b724346787781f657cac75499;hb=refs/heads/master#l1082
"""
fmt = 'S KEYINFO {0} X - - - - - - -'
keyring.sendline(conn, fmt.format(self.keygrip).encode('ascii'))
def set_key(self, keygrip):
"""Set hexadecimal keygrip for next operation."""
self.keygrip = keygrip

2
libagent/gpg/decode.py
View File

@@ -186,6 +186,7 @@ def _parse_pubkey(stream, packet_type='pubkey'):
log.debug('key ID: %s', util.hexlify(p['key_id']))
return p
_parse_subkey = functools.partial(_parse_pubkey, packet_type='subkey')
@@ -195,6 +196,7 @@ def _parse_user_id(stream, packet_type='user_id'):
to_hash = b'\xb4' + util.prefix_len('>L', value)
return {'type': packet_type, 'value': value, '_to_hash': to_hash}
# User attribute is handled as an opaque user ID
_parse_attribute = functools.partial(_parse_user_id,
packet_type='user_attribute')

8
libagent/gpg/encode.py
View File

@@ -23,12 +23,14 @@ def create_primary(user_id, pubkey, signer_func, secret_bytes=b''):
# https://tools.ietf.org/html/rfc4880#section-5.2.3.4
protocol.subpacket_byte(0x1B, 1 | 2), # key flags (certify & sign)
# https://tools.ietf.org/html/rfc4880#section-5.2.3.21
protocol.subpacket_byte(0x15, 8), # preferred hash (SHA256)
protocol.subpacket_bytes(0x15, [8, 9, 10]), # preferred hash
# https://tools.ietf.org/html/rfc4880#section-5.2.3.8
protocol.subpacket_byte(0x16, 0), # preferred compression (none)
protocol.subpacket_bytes(0x16, [2, 3, 1]), # preferred compression
# https://tools.ietf.org/html/rfc4880#section-5.2.3.9
protocol.subpacket_byte(0x17, 0x80) # key server prefs (no-modify)
protocol.subpacket_byte(0x17, 0x80), # key server prefs (no-modify)
# https://tools.ietf.org/html/rfc4880#section-5.2.3.17
protocol.subpacket_byte(0x1E, 0x01), # advanced features (MDC)
# https://tools.ietf.org/html/rfc4880#section-5.2.3.24
]
unhashed_subpackets = [
protocol.subpacket(16, pubkey.key_id()), # issuer key id

76
libagent/gpg/keyring.py
View File

@@ -14,17 +14,29 @@ from .. import util
log = logging.getLogger(__name__)
def get_agent_sock_path(sp=subprocess):
def check_output(args, env=None, sp=subprocess):
"""Call an external binary and return its stdout."""
log.debug('calling %s with env %s', args, env)
output = sp.check_output(args=args, env=env)
log.debug('output: %r', output)
return output
def get_agent_sock_path(env=None, sp=subprocess):
"""Parse gpgconf output to find out GPG agent UNIX socket path."""
lines = sp.check_output(['gpgconf', '--list-dirs']).strip().split(b'\n')
args = [util.which('gpgconf'), '--list-dirs']
output = check_output(args=args, env=env, sp=sp)
lines = output.strip().split(b'\n')
dirs = dict(line.split(b':', 1) for line in lines)
log.debug('%s: %s', args, dirs)
return dirs[b'agent-socket']
def connect_to_agent(sp=subprocess):
def connect_to_agent(env=None, sp=subprocess):
"""Connect to GPG agent's UNIX socket."""
sock_path = get_agent_sock_path(sp=sp)
sp.check_call(['gpg-connect-agent', '/bye']) # Make sure it's running
sock_path = get_agent_sock_path(sp=sp, env=env)
# Make sure the original gpg-agent is running.
check_output(args=['gpg-connect-agent', '/bye'], sp=sp)
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(sock_path)
return sock
@@ -99,8 +111,8 @@ def parse(s):
value, s = parse(s)
values.append(value)
return values, s[1:]
else:
return parse_term(s)
return parse_term(s)
def _parse_ecdsa_sig(args):
@@ -110,6 +122,7 @@ def _parse_ecdsa_sig(args):
return (util.bytes2num(sig_r),
util.bytes2num(sig_s))
# DSA and EDDSA happen to have the same structure as ECDSA signatures
_parse_dsa_sig = _parse_ecdsa_sig
_parse_eddsa_sig = _parse_ecdsa_sig
@@ -140,7 +153,7 @@ def sign_digest(sock, keygrip, digest, sp=subprocess, environ=None):
assert communicate(sock, 'RESET').startswith(b'OK')
ttyname = sp.check_output(['tty']).strip()
ttyname = check_output(args=['tty'], sp=sp).strip()
options = ['ttyname={}'.format(ttyname)] # set TTY for passphrase entry
display = (environ or os.environ).get('DISPLAY')
@@ -175,22 +188,26 @@ def sign_digest(sock, keygrip, digest, sp=subprocess, environ=None):
return parse_sig(sig)
def get_gnupg_components(sp=subprocess):
"""Parse GnuPG components' paths."""
args = [util.which('gpgconf'), '--list-components']
output = check_output(args=args, sp=sp)
components = dict(re.findall('(.*):.*:(.*)', output.decode('utf-8')))
log.debug('gpgconf --list-components: %s', components)
return components
@util.memoize
def get_gnupg_binary(sp=subprocess):
"""Starting GnuPG 2.2.x, the default installation uses `gpg`."""
for cmd in ['gpg2', 'gpg']:
try:
return sp.check_output(args=['which', cmd]).strip().decode('ascii')
except subprocess.CalledProcessError:
log.debug('%r not found', cmd)
continue
raise OSError('GnuPG seems to be not installed')
return get_gnupg_components(sp=sp)['gpg']
def gpg_command(args, env=None, sp=subprocess):
def gpg_command(args, env=None):
"""Prepare common GPG command line arguments."""
if env is None:
env = os.environ
cmd = [get_gnupg_binary(sp=sp)]
cmd = [get_gnupg_binary()]
homedir = env.get('GNUPGHOME')
if homedir:
cmd.extend(['--homedir', homedir])
@@ -199,38 +216,41 @@ def gpg_command(args, env=None, sp=subprocess):
def get_keygrip(user_id, sp=subprocess):
"""Get a keygrip of the primary GPG key of the specified user."""
args = gpg_command(['--list-keys', '--with-keygrip', user_id], sp=sp)
output = sp.check_output(args).decode('ascii')
args = gpg_command(['--list-keys', '--with-keygrip', user_id])
output = check_output(args=args, sp=sp).decode('utf-8')
return re.findall(r'Keygrip = (\w+)', output)[0]
def gpg_version(sp=subprocess):
"""Get a keygrip of the primary GPG key of the specified user."""
args = gpg_command(['--version'], sp=sp)
output = sp.check_output(args)
args = gpg_command(['--version'])
output = check_output(args=args, sp=sp)
line = output.split(b'\n')[0] # b'gpg (GnuPG) 2.1.11'
return line.split(b' ')[-1] # b'2.1.11'
def export_public_key(user_id, sp=subprocess):
def export_public_key(user_id, env=None, sp=subprocess):
"""Export GPG public key for specified `user_id`."""
args = gpg_command(['--export', user_id], sp=sp)
result = sp.check_output(args=args)
args = gpg_command(['--export', user_id])
result = check_output(args=args, env=env, sp=sp)
if not result:
log.error('could not find public key %r in local GPG keyring', user_id)
raise KeyError(user_id)
return result
def export_public_keys(sp=subprocess):
def export_public_keys(env=None, sp=subprocess):
"""Export all GPG public keys."""
args = gpg_command(['--export'], sp=sp)
return sp.check_output(args=args)
args = gpg_command(['--export'])
result = check_output(args=args, env=env, sp=sp)
if not result:
raise KeyError('No GPG public keys found at env: {!r}'.format(env))
return result
def create_agent_signer(user_id):
"""Sign digest with existing GPG keys using gpg-agent tool."""
sock = connect_to_agent()
sock = connect_to_agent(env=os.environ)
keygrip = get_keygrip(user_id)
def sign(digest):

5
libagent/gpg/protocol.py
View File

@@ -47,6 +47,11 @@ def subpacket_byte(subpacket_type, value):
return subpacket(subpacket_type, '>B', value)
def subpacket_bytes(subpacket_type, values):
"""Create GPG subpacket with 8-bit unsigned integers."""
return subpacket(subpacket_type, '>' + 'B'*len(values), *values)
def subpacket_prefix_len(item):
"""Prefix subpacket length according to RFC 4880 section-5.2.3.1."""
n = len(item)

95
libagent/ssh/__init__.py
View File

@@ -1,16 +1,19 @@
"""SSH-agent implementation using hardware authentication devices."""
import argparse
import contextlib
import functools
import io
import logging
import os
import re
import signal
import subprocess
import sys
import tempfile
import threading
import pkg_resources
import configargparse
import daemon
from .. import device, formats, server, util
from . import client, protocol
@@ -55,11 +58,18 @@ def _to_unicode(s):
return s
def create_agent_parser():
def create_agent_parser(device_type):
"""Create an ArgumentParser for this tool."""
p = argparse.ArgumentParser()
p = configargparse.ArgParser(default_config_files=['~/.ssh/agent.config'])
p.add_argument('-v', '--verbose', default=0, action='count')
agent_package = device_type.package_name()
resources_map = {r.key: r for r in pkg_resources.require(agent_package)}
resources = [resources_map[agent_package], resources_map['libagent']]
versions = '\n'.join('{}={}'.format(r.key, r.version) for r in resources)
p.add_argument('--version', help='print the version info',
action='version', version=versions)
curve_names = [name for name in formats.SUPPORTED_CURVES]
curve_names = ', '.join(sorted(curve_names))
p.add_argument('-e', '--ecdsa-curve-name', metavar='CURVE',
@@ -67,13 +77,22 @@ def create_agent_parser():
help='specify ECDSA curve name: ' + curve_names)
p.add_argument('--timeout',
default=UNIX_SOCKET_TIMEOUT, type=float,
help='Timeout for accepting SSH client connections')
help='timeout for accepting SSH client connections')
p.add_argument('--debug', default=False, action='store_true',
help='Log SSH protocol messages for debugging.')
help='log SSH protocol messages for debugging.')
p.add_argument('--log-file', type=str,
help='Path to the log file (to be written by the agent).')
p.add_argument('--sock-path', type=str,
help='Path to the UNIX domain socket of the agent.')
g = p.add_mutually_exclusive_group()
g.add_argument('-d', '--daemonize', default=False, action='store_true',
help='Daemonize the agent and print its UNIX socket path')
g.add_argument('-f', '--foreground', default=False, action='store_true',
help='Run agent in foreground with specified UNIX socket path')
g.add_argument('-s', '--shell', default=False, action='store_true',
help='run ${SHELL} as subprocess under SSH agent')
help=('run ${SHELL} as subprocess under SSH agent, allowing '
'regular SSH-based tools to be used in the shell'))
g.add_argument('-c', '--connect', default=False, action='store_true',
help='connect to specified host via SSH')
g.add_argument('--mosh', default=False, action='store_true',
@@ -87,7 +106,7 @@ def create_agent_parser():
@contextlib.contextmanager
def serve(handler, sock_path=None, timeout=UNIX_SOCKET_TIMEOUT):
def serve(handler, sock_path, timeout=UNIX_SOCKET_TIMEOUT):
"""
Start the ssh-agent server on a UNIX-domain socket.
@@ -97,9 +116,6 @@ def serve(handler, sock_path=None, timeout=UNIX_SOCKET_TIMEOUT):
ssh_version = subprocess.check_output(['ssh', '-V'],
stderr=subprocess.STDOUT)
log.debug('local SSH version: %r', ssh_version)
if sock_path is None:
sock_path = tempfile.mktemp(prefix='trezor-ssh-agent-')
environ = {'SSH_AUTH_SOCK': sock_path, 'SSH_AGENT_PID': str(os.getpid())}
device_mutex = threading.Lock()
with server.unix_domain_socket_server(sock_path) as sock:
@@ -119,14 +135,20 @@ def serve(handler, sock_path=None, timeout=UNIX_SOCKET_TIMEOUT):
quit_event.set()
def run_server(conn, command, debug, timeout):
def run_server(conn, command, sock_path, debug, timeout):
"""Common code for run_agent and run_git below."""
ret = 0
try:
handler = protocol.Handler(conn=conn, debug=debug)
with serve(handler=handler, timeout=timeout) as env:
return server.run_process(command=command, environ=env)
with serve(handler=handler, sock_path=sock_path,
timeout=timeout) as env:
if command:
ret = server.run_process(command=command, environ=env)
else:
signal.pause() # wait for signal (e.g. SIGINT)
except KeyboardInterrupt:
log.info('server stopped')
return ret
def handle_connection_error(func):
@@ -135,7 +157,7 @@ def handle_connection_error(func):
def wrapper(*args, **kwargs):
try:
return func(*args, **kwargs)
except IOError as e:
except device.interface.NotFoundError as e:
log.error('Connection error (try unplugging and replugging your device): %s', e)
return 1
return wrapper
@@ -186,11 +208,27 @@ class JustInTimeConnection(object):
return conn.sign_ssh_challenge(blob=blob, identity=identity)
@contextlib.contextmanager
def _dummy_context():
yield
def _get_sock_path(args):
sock_path = args.sock_path
if not sock_path:
if args.foreground:
log.error('running in foreground mode requires specifying UNIX socket path')
sys.exit(1)
else:
sock_path = tempfile.mktemp(prefix='trezor-ssh-agent-')
return sock_path
@handle_connection_error
def main(device_type):
"""Run ssh-agent using given hardware client factory."""
args = create_agent_parser().parse_args()
util.setup_logging(verbosity=args.verbose)
args = create_agent_parser(device_type=device_type).parse_args()
util.setup_logging(verbosity=args.verbose, filename=args.log_file)
public_keys = None
if args.identity.startswith('/'):
@@ -205,14 +243,24 @@ def main(device_type):
identity_str=args.identity, curve_name=args.ecdsa_curve_name)]
for index, identity in enumerate(identities):
identity.identity_dict['proto'] = u'ssh'
log.info('identity #%d: %s', index, identity)
log.info('identity #%d: %s', index, identity.to_string())
sock_path = _get_sock_path(args)
command = args.command
context = _dummy_context()
if args.connect:
command = ['ssh'] + ssh_args(args.identity) + args.command
elif args.mosh:
command = ['mosh'] + mosh_args(args.identity) + args.command
else:
command = args.command
elif args.daemonize:
out = 'SSH_AUTH_SOCK={0}; export SSH_AUTH_SOCK;\n'.format(sock_path)
sys.stdout.write(out)
sys.stdout.flush()
context = daemon.DaemonContext()
log.info('running the agent as a daemon on %s', sock_path)
elif args.foreground:
log.info('running the agent on %s', sock_path)
use_shell = bool(args.shell)
if use_shell:
@@ -222,9 +270,12 @@ def main(device_type):
conn = JustInTimeConnection(
conn_factory=lambda: client.Client(device_type()),
identities=identities, public_keys=public_keys)
if command:
return run_server(conn=conn, command=command, debug=args.debug,
timeout=args.timeout)
if command or args.daemonize or args.foreground:
with context:
return run_server(conn=conn, command=command, sock_path=sock_path,
debug=args.debug, timeout=args.timeout)
else:
for pk in conn.public_keys():
sys.stdout.write(pk)
return 0 # success exit code

20
libagent/tests/test_server.py
View File

@@ -1,4 +1,3 @@
import functools
import io
import os
import socket
@@ -74,26 +73,27 @@ def test_handle():
def test_server_thread():
connections = [FakeSocket()]
sock = FakeSocket()
connections = [sock]
quit_event = threading.Event()
class FakeServer(object):
def accept(self): # pylint: disable=no-self-use
if connections:
return connections.pop(), 'address'
quit_event.set()
raise socket.timeout()
if not connections:
raise socket.timeout()
return connections.pop(), 'address'
def getsockname(self): # pylint: disable=no-self-use
return 'fake_server'
handler = protocol.Handler(conn=empty_device()),
handle_conn = functools.partial(server.handle_connection,
handler=handler,
mutex=None)
def handle_conn(conn):
assert conn is sock
quit_event.set()
server.server_thread(sock=FakeServer(),
handle_conn=handle_conn,
quit_event=quit_event)
quit_event.wait()
def test_spawn():

16
libagent/util.py
View File

@@ -213,3 +213,19 @@ def memoize(func):
return result
return wrapper
@memoize
def which(cmd):
"""Return full path to specified command, or raise OSError if missing."""
try:
# For Python 3
from shutil import which as _which
except ImportError:
# For Python 2
from backports.shutil_which import which as _which # pylint: disable=relative-import
full_path = _which(cmd)
if full_path is None:
raise OSError('Cannot find {!r} in $PATH'.format(cmd))
log.debug('which %r => %r', cmd, full_path)
return full_path

6
release.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
set -eux
rm -rv dist/*
python3 setup.py sdist
gpg2 -v --detach-sign -a dist/*.tar.gz
twine upload dist/*

59
scripts/gpg-init
View File

@@ -1,59 +0,0 @@
#!/bin/bash
set -eu
USER_ID="${1}"
DEVICE=${DEVICE:="trezor"} # or "ledger"
CURVE=${CURVE:="nist256p1"} # or "ed25519"
TIMESTAMP=${TIMESTAMP:=`date +%s`} # key creation timestamp
HOMEDIR=~/.gnupg/${DEVICE}
# NOTE: starting from GnuPG 2.2, gpg2 -> gpg
GPG_BINARY=$(python -c "import libagent.gpg.keyring as k; print(k.get_gnupg_binary())")
${GPG_BINARY} --version # verify that GnuPG 2.1+ is installed
# Prepare new GPG home directory for hardware-based identity
rm -rf "${HOMEDIR}"
mkdir -p "${HOMEDIR}"
chmod 700 "${HOMEDIR}"
# Generate new GPG identity and import into GPG keyring
$DEVICE-gpg create -v "${USER_ID}" -t "${TIMESTAMP}" -e "${CURVE}" > "${HOMEDIR}/pubkey.asc"
${GPG_BINARY} --homedir "${HOMEDIR}" --import < "${HOMEDIR}/pubkey.asc" 2> /dev/null
rm -f "${HOMEDIR}/S.gpg-agent" # (otherwise, our agent won't be started automatically)
# Make new GPG identity with "ultimate" trust (via its fingerprint)
FINGERPRINT=$(${GPG_BINARY} --homedir "${HOMEDIR}" --list-public-keys --with-fingerprint --with-colons | sed -n -E 's/^fpr:::::::::([0-9A-F]+):$/\1/p' | head -n1)
echo "${FINGERPRINT}:6" | ${GPG_BINARY} --homedir "${HOMEDIR}" --import-ownertrust 2> /dev/null
AGENT_PATH="$(which ${DEVICE}-gpg-agent)"
# Prepare GPG configuration file
echo "# Hardware-based GPG configuration
agent-program ${AGENT_PATH}
personal-digest-preferences SHA512
default-key \"${USER_ID}\"
" > "${HOMEDIR}/gpg.conf"
# Prepare GPG agent configuration file
echo "# Hardware-based GPG agent emulator
log-file ${HOMEDIR}/gpg-agent.log
verbosity 2
" > "${HOMEDIR}/gpg-agent.conf"
# Prepare a helper script for setting up the new identity
echo "#!/bin/bash
set -eu
export GNUPGHOME=${HOMEDIR}
COMMAND=\$*
if [ -z \"\${COMMAND}\" ]
then
\${SHELL}
else
\${COMMAND}
fi
" > "${HOMEDIR}/env"
chmod u+x "${HOMEDIR}/env"
echo "Starting ${DEVICE}-gpg-agent at ${HOMEDIR}..."
# Load agent and make sure it responds with the new identity
GNUPGHOME="${HOMEDIR}" ${GPG_BINARY} -K 2> /dev/null

7
setup.py
View File

@@ -3,7 +3,7 @@ from setuptools import setup
setup(
name='libagent',
version='0.9.4',
version='0.10.0',
description='Using hardware wallets as SSH/GPG agent',
author='Roman Zeyde',
author_email='roman.zeyde@gmail.com',
@@ -15,8 +15,13 @@ setup(
'libagent.ssh'
],
install_requires=[
'backports.shutil_which>=3.5.1',
'ConfigArgParse>=0.12.0',
'python-daemon>=2.1.2',
'ecdsa>=0.13',
'ed25519>=1.4',
'mnemonic>=0.18',
'pymsgbox>=1.0.6',
'semver>=2.2',
'unidecode>=0.4.20',
],

8
tox.ini
View File

@@ -1,6 +1,6 @@
[tox]
envlist = py27,py3
[pep8]
[pycodestyle]
max-line-length = 100
[pep257]
add-ignore = D401
@@ -8,15 +8,15 @@ add-ignore = D401
deps=
pytest
mock
pep8
pycodestyle
coverage
pylint
semver
pydocstyle
isort
commands=
pep8 libagent
isort --skip-glob .tox -c -r libagent
pycodestyle libagent
# isort --skip-glob .tox -c -r libagent
pylint --reports=no --rcfile .pylintrc libagent
pydocstyle libagent
coverage run --source libagent -m py.test -v libagent