gpg: use environment variable for user_id
This commit is contained in:
Roman Zeyde
@@ -1,22 +1,24 @@
|
||||
# Generate new stand-alone GPG identity
|
||||
|
||||
# Generate new GPG signing key:
|
||||
```
|
||||
$ USER_ID="Satoshi Nakamoto <satoshi@nakamoto.bit>"
|
||||
$ trezor-gpg create "${USER_ID}" > identity.pub # create new TREZOR-based GPG identity
|
||||
$ gpg2 --import identity.pub # import into local GPG public keyring
|
||||
$ gpg2 --edit "${USER_ID}" trust # OPTIONAL: mark the key as trusted
|
||||
```
|
||||
|
||||
# Generate new subkey for existing GPG identity
|
||||
## Create new GPG identity:
|
||||
```
|
||||
$ USER_ID="Satoshi Nakamoto <satoshi@nakamoto.bit>"
|
||||
$ gpg2 --list-keys "${USER_ID}" # make sure this identity already exists
|
||||
$ trezor-gpg create --subkey "${USER_ID}" > identity.pub # create new TREZOR-based GPG public key
|
||||
$ gpg2 --import identity.pub # append it to existing identity
|
||||
$ trezor-gpg create > identity.pub # create new TREZOR-based GPG identity
|
||||
$ gpg2 --import identity.pub # import into local GPG public keyring
|
||||
$ gpg2 --edit "${USER_ID}" trust # OPTIONAL: mark the key as trusted
|
||||
```
|
||||
|
||||
# Create new subkey for an existing GPG identity:
|
||||
```
|
||||
$ gpg2 --list-keys "${USER_ID}" # make sure this identity already exists
|
||||
$ trezor-gpg create --subkey > identity.pub # create new TREZOR-based GPG public key
|
||||
$ gpg2 --import identity.pub # append it to existing identity
|
||||
```
|
||||
|
||||
# Generate signatures using the TREZOR device
|
||||
```
|
||||
$ trezor-gpg sign EXAMPLE > EXAMPLE.sig # confirm signature using the device
|
||||
$ gpg2 --verify EXAMPLE.sig # verify using standard GPG binary
|
||||
$ trezor-gpg sign EXAMPLE # confirm signature using the device
|
||||
$ gpg2 --verify EXAMPLE.asc # verify using standard GPG binary
|
||||
```
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
#!/usr/bin/env python
|
||||
"""A simple wrapper for Git commit/tag GPG signing."""
|
||||
import logging
|
||||
import subprocess as sp
|
||||
import sys
|
||||
|
||||
from . import decode, encode
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
def main():
|
||||
"""Main function."""
|
||||
logging.basicConfig(level=logging.INFO,
|
||||
format='%(asctime)s %(levelname)-10s %(message)s')
|
||||
|
||||
log.debug('sys.argv: %s', sys.argv)
|
||||
args = sys.argv[1:]
|
||||
if '--verify' in args:
|
||||
return sp.call(['gpg2'] + args)
|
||||
else:
|
||||
command = args[0]
|
||||
user_id = ' '.join(args[1:])
|
||||
assert command == '-bsau' # --detach-sign --sign --armor --local-user
|
||||
pubkey = decode.load_from_gpg(user_id, use_custom=True)
|
||||
s = encode.Signer.from_public_key(user_id=user_id, pubkey=pubkey)
|
||||
|
||||
data = sys.stdin.read()
|
||||
sig = s.sign(data)
|
||||
sig = encode.armor(sig, 'SIGNATURE')
|
||||
sys.stdout.write(sig)
|
||||
s.close()
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
@@ -5,6 +5,7 @@ import logging
|
||||
import subprocess as sp
|
||||
import sys
|
||||
import time
|
||||
import os
|
||||
|
||||
from . import decode, encode
|
||||
|
||||
@@ -13,17 +14,18 @@ log = logging.getLogger(__name__)
|
||||
|
||||
def run_create(args):
|
||||
"""Generate a new pubkey for a new/existing GPG identity."""
|
||||
s = encode.Signer(user_id=args.user_id, created=args.time,
|
||||
user_id = os.environ['TREZOR_GPG_USER_ID']
|
||||
s = encode.Signer(user_id=user_id, created=args.time,
|
||||
curve_name=args.ecdsa_curve)
|
||||
if args.subkey:
|
||||
subkey = s.subkey()
|
||||
primary = sp.check_output(['gpg2', '--export', args.user_id])
|
||||
primary = sp.check_output(['gpg2', '--export', user_id])
|
||||
result = primary + subkey
|
||||
else:
|
||||
result = s.export()
|
||||
s.close()
|
||||
|
||||
return encode.armor(result, 'PUBLIC KEY BLOCK')
|
||||
sys.stdout.write(encode.armor(result, 'PUBLIC KEY BLOCK'))
|
||||
|
||||
|
||||
def run_sign(args):
|
||||
@@ -39,7 +41,19 @@ def run_sign(args):
|
||||
|
||||
sig = encode.armor(sig, 'SIGNATURE')
|
||||
decode.verify(pubkey=pubkey, signature=sig, original_data=data)
|
||||
return sig
|
||||
|
||||
filename = '-' # write to stdout
|
||||
if args.output:
|
||||
filename = args.output
|
||||
elif args.filename:
|
||||
filename = args.filename + '.asc'
|
||||
|
||||
if filename == '-':
|
||||
output = sys.stdout
|
||||
else:
|
||||
output = open(filename, 'wb')
|
||||
|
||||
output.write(sig)
|
||||
|
||||
|
||||
def main():
|
||||
@@ -49,8 +63,6 @@ def main():
|
||||
subparsers = p.add_subparsers()
|
||||
|
||||
create = subparsers.add_parser('create')
|
||||
create.add_argument('user_id', help='e.g. '
|
||||
'"Satoshi Nakamoto <satoshi@nakamoto.bit>"')
|
||||
create.add_argument('-s', '--subkey', action='store_true', default=False)
|
||||
create.add_argument('-e', '--ecdsa-curve', default='nist256p1')
|
||||
create.add_argument('-t', '--time', type=int, default=int(time.time()))
|
||||
@@ -58,13 +70,13 @@ def main():
|
||||
|
||||
sign = subparsers.add_parser('sign')
|
||||
sign.add_argument('filename', nargs='?')
|
||||
sign.add_argument('-o', '--output', default=None)
|
||||
sign.set_defaults(run=run_sign)
|
||||
|
||||
args = p.parse_args()
|
||||
logging.basicConfig(level=logging.DEBUG if args.verbose else logging.INFO,
|
||||
format='%(asctime)s %(levelname)-10s %(message)s')
|
||||
result = args.run(args)
|
||||
sys.stdout.write(result)
|
||||
args.run(args)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
@@ -3,5 +3,5 @@ if [[ "$*" == *"--verify"* ]]
|
||||
then
|
||||
gpg2 $* # verify using GPG2 (for ECDSA and EdDSA keys)
|
||||
else
|
||||
python -m trezor_agent.gpg.git_wrapper $* # sign using TREZOR
|
||||
trezor-gpg sign -o- # sign using TREZOR and write the signature to stdout
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user