From f1e75783c4d893bade132866b06395b00ff74912 Mon Sep 17 00:00:00 2001 From: Roman Zeyde Date: Sat, 7 May 2016 09:41:58 +0300 Subject: [PATCH] gpg: use environment variable for user_id --- trezor_agent/gpg/README.md | 26 ++++++++-------- trezor_agent/gpg/git_wrapper.py | 35 ---------------------- trezor_agent/gpg/signer.py | 28 ++++++++++++----- trezor_agent/gpg/trezor-git-gpg-wrapper.sh | 2 +- 4 files changed, 35 insertions(+), 56 deletions(-) delete mode 100755 trezor_agent/gpg/git_wrapper.py diff --git a/trezor_agent/gpg/README.md b/trezor_agent/gpg/README.md index 8add8d4..44fc300 100644 --- a/trezor_agent/gpg/README.md +++ b/trezor_agent/gpg/README.md @@ -1,22 +1,24 @@ -# Generate new stand-alone GPG identity - +# Generate new GPG signing key: ``` $ USER_ID="Satoshi Nakamoto " -$ trezor-gpg create "${USER_ID}" > identity.pub # create new TREZOR-based GPG identity -$ gpg2 --import identity.pub # import into local GPG public keyring -$ gpg2 --edit "${USER_ID}" trust # OPTIONAL: mark the key as trusted ``` -# Generate new subkey for existing GPG identity +## Create new GPG identity: ``` -$ USER_ID="Satoshi Nakamoto " -$ gpg2 --list-keys "${USER_ID}" # make sure this identity already exists -$ trezor-gpg create --subkey "${USER_ID}" > identity.pub # create new TREZOR-based GPG public key -$ gpg2 --import identity.pub # append it to existing identity +$ trezor-gpg create > identity.pub # create new TREZOR-based GPG identity +$ gpg2 --import identity.pub # import into local GPG public keyring +$ gpg2 --edit "${USER_ID}" trust # OPTIONAL: mark the key as trusted +``` + +# Create new subkey for an existing GPG identity: +``` +$ gpg2 --list-keys "${USER_ID}" # make sure this identity already exists +$ trezor-gpg create --subkey > identity.pub # create new TREZOR-based GPG public key +$ gpg2 --import identity.pub # append it to existing identity ``` # Generate signatures using the TREZOR device ``` -$ trezor-gpg sign EXAMPLE > EXAMPLE.sig # confirm signature using the device -$ gpg2 --verify EXAMPLE.sig # verify using standard GPG binary +$ trezor-gpg sign EXAMPLE # confirm signature using the device +$ gpg2 --verify EXAMPLE.asc # verify using standard GPG binary ``` diff --git a/trezor_agent/gpg/git_wrapper.py b/trezor_agent/gpg/git_wrapper.py deleted file mode 100755 index 09e1a09..0000000 --- a/trezor_agent/gpg/git_wrapper.py +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/env python -"""A simple wrapper for Git commit/tag GPG signing.""" -import logging -import subprocess as sp -import sys - -from . import decode, encode - -log = logging.getLogger(__name__) - - -def main(): - """Main function.""" - logging.basicConfig(level=logging.INFO, - format='%(asctime)s %(levelname)-10s %(message)s') - - log.debug('sys.argv: %s', sys.argv) - args = sys.argv[1:] - if '--verify' in args: - return sp.call(['gpg2'] + args) - else: - command = args[0] - user_id = ' '.join(args[1:]) - assert command == '-bsau' # --detach-sign --sign --armor --local-user - pubkey = decode.load_from_gpg(user_id, use_custom=True) - s = encode.Signer.from_public_key(user_id=user_id, pubkey=pubkey) - - data = sys.stdin.read() - sig = s.sign(data) - sig = encode.armor(sig, 'SIGNATURE') - sys.stdout.write(sig) - s.close() - -if __name__ == '__main__': - main() diff --git a/trezor_agent/gpg/signer.py b/trezor_agent/gpg/signer.py index b8c6014..237d592 100755 --- a/trezor_agent/gpg/signer.py +++ b/trezor_agent/gpg/signer.py @@ -5,6 +5,7 @@ import logging import subprocess as sp import sys import time +import os from . import decode, encode @@ -13,17 +14,18 @@ log = logging.getLogger(__name__) def run_create(args): """Generate a new pubkey for a new/existing GPG identity.""" - s = encode.Signer(user_id=args.user_id, created=args.time, + user_id = os.environ['TREZOR_GPG_USER_ID'] + s = encode.Signer(user_id=user_id, created=args.time, curve_name=args.ecdsa_curve) if args.subkey: subkey = s.subkey() - primary = sp.check_output(['gpg2', '--export', args.user_id]) + primary = sp.check_output(['gpg2', '--export', user_id]) result = primary + subkey else: result = s.export() s.close() - return encode.armor(result, 'PUBLIC KEY BLOCK') + sys.stdout.write(encode.armor(result, 'PUBLIC KEY BLOCK')) def run_sign(args): @@ -39,7 +41,19 @@ def run_sign(args): sig = encode.armor(sig, 'SIGNATURE') decode.verify(pubkey=pubkey, signature=sig, original_data=data) - return sig + + filename = '-' # write to stdout + if args.output: + filename = args.output + elif args.filename: + filename = args.filename + '.asc' + + if filename == '-': + output = sys.stdout + else: + output = open(filename, 'wb') + + output.write(sig) def main(): @@ -49,8 +63,6 @@ def main(): subparsers = p.add_subparsers() create = subparsers.add_parser('create') - create.add_argument('user_id', help='e.g. ' - '"Satoshi Nakamoto "') create.add_argument('-s', '--subkey', action='store_true', default=False) create.add_argument('-e', '--ecdsa-curve', default='nist256p1') create.add_argument('-t', '--time', type=int, default=int(time.time())) @@ -58,13 +70,13 @@ def main(): sign = subparsers.add_parser('sign') sign.add_argument('filename', nargs='?') + sign.add_argument('-o', '--output', default=None) sign.set_defaults(run=run_sign) args = p.parse_args() logging.basicConfig(level=logging.DEBUG if args.verbose else logging.INFO, format='%(asctime)s %(levelname)-10s %(message)s') - result = args.run(args) - sys.stdout.write(result) + args.run(args) if __name__ == '__main__': diff --git a/trezor_agent/gpg/trezor-git-gpg-wrapper.sh b/trezor_agent/gpg/trezor-git-gpg-wrapper.sh index 04a8807..c65bbe9 100755 --- a/trezor_agent/gpg/trezor-git-gpg-wrapper.sh +++ b/trezor_agent/gpg/trezor-git-gpg-wrapper.sh @@ -3,5 +3,5 @@ if [[ "$*" == *"--verify"* ]] then gpg2 $* # verify using GPG2 (for ECDSA and EdDSA keys) else - python -m trezor_agent.gpg.git_wrapper $* # sign using TREZOR + trezor-gpg sign -o- # sign using TREZOR and write the signature to stdout fi