Merge upstream romanz/trezor-agent updates

.bumpversion.cfg

@@ -1,6 +1,7 @@
 [bumpversion]
 commit = True
 tag = True
-current_version = 0.14.7
+current_version = 0.15.0
+sign_tags = True
 
 [bumpversion:file:setup.py]

.github/workflows/ci.yml

@@ -1,19 +1,23 @@
 name: Build
 
-on: [push]
+on: [push, pull_request]
+
+concurrency:
+  group: ci-${{github.actor}}-${{github.head_ref || github.run_number}}-${{github.ref}}
+  cancel-in-progress: true
 
 jobs:
   build:
 
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ['3.7', '3.8', '3.9', '3.10', '3.11']
+        python-version: ['3.8', '3.9', '3.10', '3.11', '3.12', '3.13']
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

README.md

@@ -12,9 +12,8 @@ See the following blog posts about this tool:
 - [TREZOR Firmware 1.3.4 enables SSH login](https://medium.com/@satoshilabs/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609)
 - [TREZOR Firmware 1.3.6 — GPG Signing, SSH Login Updates and Advanced Transaction Features for Segwit](https://medium.com/@satoshilabs/trezor-firmware-1-3-6-20a7df6e692)
 - [TREZOR Firmware 1.4.0 — GPG decryption support](https://www.reddit.com/r/TREZOR/comments/50h8r9/new_trezor_firmware_fidou2f_and_initial_ethereum/d7420q7/)
-- [A Step by Step Guide to Securing your SSH Keys with the Ledger Nano S](https://thoughts.t37.net/a-step-by-step-guide-to-securing-your-ssh-keys-with-the-ledger-nano-s-92e58c64a005)
 
-Currently [TREZOR One](https://trezor.io/), [TREZOR Model T](https://trezor.io/), [Keepkey](https://www.keepkey.com/), [Ledger Nano S](https://www.ledgerwallet.com/products/ledger-nano-s), and [OnlyKey](https://onlykey.io) are supported.
+Currently [TREZOR One](https://trezor.io/), [TREZOR Model T](https://trezor.io/), [Blockstream Jade](https://blockstream.com/jade/) and [OnlyKey](https://onlykey.io) are supported.
 
 ## Components
 
@@ -23,20 +22,14 @@ agents to interact with several different hardware devices:
 
 * [`libagent`](https://pypi.org/project/libagent/): shared library
 * [`trezor-agent`](https://pypi.org/project/trezor-agent/): Using Trezor as hardware-based SSH/PGP/age agent
-* [`ledger_agent`](https://pypi.org/project/ledger_agent/): Using Ledger as hardware-based SSH/PGP agent
-* [`jade_agent`](https://pypi.org/project/jade_agent/): Using Blockstream Jade as hardware-based SSH/PGP agent
-* [`keepkey_agent`](https://pypi.org/project/keepkey_agent/): Using KeepKey as hardware-based SSH/PGP agent
+* [`jade_agent`](https://github.com/Blockstream/Jade/): Using Blockstream Jade as hardware-based SSH/PGP agent
 * [`onlykey-agent`](https://pypi.org/project/onlykey-agent/): Using OnlyKey as hardware-based SSH/PGP agent
 
-
-The [/releases](/releases) page on Github contains the `libagent`
-releases.
-
 ## Documentation
 
 * **Installation** instructions are [here](doc/INSTALL.md)
 * **SSH** instructions and common use cases are [here](doc/README-SSH.md)
-
 * **GPG** instructions and common use cases are [here](doc/README-GPG.md)
 * **age** instructions and common use cases are [here](doc/README-age.md)
 * Instructions to configure a Trezor-style **PIN entry** program are [here](doc/README-PINENTRY.md)
+* Instructions for using the tools on Windows are [here](doc/README-Windows.md)

agents/fake/setup.py

@@ -7,10 +7,11 @@
 setup(
     name='fake_device_agent',
     version='0.9.0',
-    description='Testing trezor_agent with a fake device - NOT SAFE!!!',
+    description='Testing SSH/GPG agent with a fake device - NOT SAFE!!!',
     author='Roman Zeyde',
-    author_email='roman.zeyde@gmail.com',
+    author_email='dev@romanzey.de',
     url='http://github.com/romanz/trezor-agent',
+    python_requires='>=3.8',
     scripts=['fake_device_agent.py'],
     install_requires=[
         'libagent>=0.9.0',

agents/jade/setup.py

@@ -8,6 +8,7 @@
     author='Jamie C. Driver',
     author_email='jamie@blockstream.com',
     url='http://github.com/romanz/trezor-agent',
+    python_requires='>=3.8',
     scripts=['jade_agent.py'],
     install_requires=[
         'libagent>=0.14.5',

agents/onlykey/setup.py

@@ -8,6 +8,7 @@
     author='CryptoTrust',
     author_email='admin@crp.to',
     url='http://github.com/trustcrypto/onlykey-agent',
+    python_requires='>=3.8',
     scripts=['onlykey_agent.py'],
     install_requires=[
         'lib-agent>=1.0.6',

agents/trezor/setup.py

@@ -3,15 +3,16 @@
 
 setup(
     name='trezor_agent',
-    version='0.12.0',
+    version='0.13.0',
     description='Using Trezor as hardware SSH/GPG agent',
     author='Roman Zeyde',
-    author_email='roman.zeyde@gmail.com',
+    author_email='dev@romanzey.de',
     url='http://github.com/romanz/trezor-agent',
+    python_requires='>=3.8',
     scripts=['trezor_agent.py'],
     install_requires=[
-        'libagent>=0.14.0',
-        'trezor[hidapi]>=0.13'
+        'libagent>=0.16.0',
+        'trezor[hidapi]>=0.20'
     ],
     platforms=['POSIX'],
     classifiers=[

doc/DESIGN.md

@@ -6,7 +6,7 @@ SSH and GPG do this by means of a simple interprocess communication protocol (us
 
 These two agents make the connection between the front end (e.g. a `gpg --sign` command, or an `ssh user@fqdn`). And then they wait for a request from the 'front end', and then do the actual asking for a password and subsequent using the private key to sign or decrypt something.
 
-The various hardware wallets (Trezor, KeepKey, Ledger and Jade) each have the ability (as of Firmware 1.3.4) to use the NIST P-256 elliptic curve to sign, encrypt or decrypt. This curve can be used with S/MIME, GPG and SSH.
+The various hardware wallets have the ability to use the NIST P-256 elliptic curve to sign, encrypt or decrypt. This curve can be used with S/MIME, GPG and SSH.
 
 So when you `ssh` to a machine - rather than consult the normal ssh-agent (which in turn will use your private SSH key in files such as `~/.ssh/id_rsa`) -- the trezor-agent will aks your hardware wallet to use its private key to sign the challenge.
 
@@ -38,8 +38,6 @@ The `trezor-agent` then instructs SSH to connect to the server. It will then eng
 
 GPG uses much the same approach as SSH, except in this case it relies on [SLIP-0017 : ECDH using deterministic hierarchy][3] for the mapping to an ECDH key and it maps these to the normal GPG child key infrastructure.
 
-Note: Keepkey does not support en-/de-cryption at this time.
-
 ### Index
 
 The canonicalisation process ([SLIP-0013][2] and [SLIP-0017][3]) of an email address or ssh address allows for the mixing in of an extra 'index' - a unsigned 32 bit number. This allows one to have multiple, different keys, for the same address.

doc/INSTALL.md

@@ -63,11 +63,10 @@ gpg (GnuPG) 2.1.15
 
 2. Make sure that your `udev` rules are configured [correctly](https://wiki.trezor.io/Udev_rules).
 
-3. Then, install the latest [trezor_agent](https://pypi.python.org/pypi/trezor_agent) package:
+3. Then, install the latest [trezor-agent](https://pypi.python.org/pypi/trezor-agent) package:
 
     ```
-    $ pip3 install Cython hidapi
-    $ pip3 install trezor_agent
+    $ pip3 install trezor-agent
     ```
 
     Or, directly from the latest source code:
@@ -84,54 +83,7 @@ gpg (GnuPG) 2.1.15
     $ brew install trezor-agent
     ```
 
-# 3. Install the KeepKey agent
-
-1. Make sure you are running the latest firmware version on your KeepKey:
-
- * [KeepKey firmware releases](https://github.com/keepkey/keepkey-firmware/releases): `3.0.17+`
-
-2. Make sure that your `udev` rules are configured [correctly](https://support.keepkey.com/support/solutions/articles/6000037796-keepkey-wallet-is-not-being-recognized-by-linux).
-Then, install the latest [keepkey_agent](https://pypi.python.org/pypi/keepkey_agent) package:
-
-    ```
-    $ pip3 install keepkey_agent
-    ```
-
-    Or, on Mac using Homebrew:
-
-    ```
-    $ homebrew install keepkey-agent
-    ```
-
-    Or, directly from the latest source code:
-
-    ```
-    $ git clone https://github.com/romanz/trezor-agent
-    $ pip3 install --user -e trezor-agent/agents/keepkey
-    ```
-
-# 4. Install the Ledger Nano S agent
-
-1. Make sure you are running the latest firmware version on your Ledger Nano S:
-
- * [Ledger Nano S firmware releases](https://github.com/LedgerHQ/blue-app-ssh-agent): `0.0.3+` (install [SSH/PGP Agent](https://www.ledgerwallet.com/images/apps/chrome-mngr-apps.png) app)
-
-2. Make sure that your `udev` rules are configured [correctly](https://ledger.zendesk.com/hc/en-us/articles/115005165269-What-if-Ledger-Wallet-is-not-recognized-on-Linux-).
-3. Then, install the latest [ledger_agent](https://pypi.python.org/pypi/ledger_agent) package:
-
-    ```
-    $ pip3 install ledger_agent
-    ```
-
-    Or, directly from the latest source code:
-
-    ```
-    $ git clone https://github.com/romanz/trezor-agent
-    $ pip3 install --user -e trezor-agent
-    $ pip3 install --user -e trezor-agent/agents/ledger
-    ```
-
-# 5. Install the OnlyKey agent
+# 3. Install the OnlyKey agent
 
 1. Make sure you are running the latest firmware version on your OnlyKey:
 
@@ -152,7 +104,7 @@ Then, install the latest [keepkey_agent](https://pypi.python.org/pypi/keepkey_ag
     $ pip3 install --user -e trezor-agent/agents/onlykey
     ```
 
-# 6. Install the Blockstream Jade agent
+# 4. Install the Blockstream Jade agent
 
 1. Make sure you are running the latest firmware version on your Blockstream Jade:
 
@@ -176,7 +128,7 @@ Then, install the latest [keepkey_agent](https://pypi.python.org/pypi/keepkey_ag
     $ pip3 install --user -e trezor-agent/agents/jade
     ```
 
-# 7. Installation Troubleshooting
+# 5. Installation Troubleshooting
 
 If there is an import problem with the installed `protobuf` package,
 see [this issue](https://github.com/romanz/trezor-agent/issues/28) for fixing it.

doc/README-GPG.md

@@ -5,7 +5,7 @@ and please let me [know](https://github.com/romanz/trezor-agent/issues/new) if s
 work well for you. If possible:
 
  * record the session (e.g. using [asciinema](https://asciinema.org))
- * attach the GPG agent log from `~/.gnupg/{trezor,ledger,jade}/gpg-agent.log` (can be [encrypted](https://keybase.io/romanz))
+ * attach the GPG agent log from `~/.gnupg/trezor/gpg-agent.log` (can be [encrypted](https://keybase.io/romanz))
 
 Thanks!
 
@@ -18,14 +18,14 @@ Thanks!
     Run
 
     ```
-    $ (trezor|keepkey|ledger|jade|onlykey)-gpg init "Roman Zeyde <roman.zeyde@gmail.com>"
+    $ trezor-gpg init "Roman Zeyde <roman.zeyde@gmail.com>"
     ```
 
     Follow the instructions provided to complete the setup.  Keep note of the timestamp value which you'll need if you want to regenerate the key later.
 
     If you'd like a Trezor-style PIN entry program, follow [these instructions](README-PINENTRY.md).
 
-2. Add `export GNUPGHOME=~/.gnupg/(trezor|keepkey|ledger|jade|onlykey)` to your `.bashrc` or other environment file.
+2. Add `export GNUPGHOME=~/.gnupg/trezor` to your `.bashrc` or other environment file.
 
     This `GNUPGHOME` contains your hardware keyring and agent settings.  This agent software assumes all keys are backed by hardware devices so you can't use standard GPG keys in `GNUPGHOME` (if you do mix keys you'll receive an error when you attempt to use them).
 
@@ -203,8 +203,6 @@ Follow [these instructions](enigmail.md) to set up Enigmail in Thunderbird.
 
 ##### 1. Create these files in `~/.config/systemd/user`
 
-Replace `trezor` with `keepkey` or `ledger` or `jade` or `onlykey` as required.
-
 ###### `trezor-gpg-agent.service`
 
 ````

doc/README-PINENTRY.md

@@ -45,7 +45,7 @@ to the `[Service]` section to tell the PIN entry program how to connect to the X
 If you haven't completed initialization yet, run:
 
 ```
-$ (trezor|keepkey|ledger)-gpg init --pin-entry-binary trezor-gpg-pinentry-tk "Roman Zeyde <roman.zeyde@gmail.com>"
+$ trezor-gpg init --pin-entry-binary trezor-gpg-pinentry-tk "Roman Zeyde <roman.zeyde@gmail.com>"
 ```
 
 to configure the PIN entry at the same time.