unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* trezor-agent: using trezor as gpg key
@ 2021-09-03  7:55 Attila Lendvai
  2021-09-03 16:35 ` Danny Milosavljevic
  0 siblings, 1 reply; 3+ messages in thread
From: Attila Lendvai @ 2021-09-03  7:55 UTC (permalink / raw)
  To: guix-devel@gnu.org

[-- Attachment #1: Type: text/plain, Size: 3203 bytes --]

hello,

i'm failing to configure my gnupg to use Trezor (an USB hw key store).

i have installed the trezord-udev-rules system-wide, but the rules refer to the "plugdev" group that is not present on guix. i see that some other packages do this:

(add-after 'autoreconf 'change-udev-group
(lambda _
(substitute* "contrib/60-openocd.rules"
(("plugdev") "dialout"))
#t))

but "dialout", for a trezor?

so, i proceeded to add the plugdev group to my system config. this didn't seem to help, /dev/usb/hiddev0 remained root:root even after a reboot, which is strange.

then i manually chgrp and chmod the file:

$ ls -l /dev/usb/
crw-rw---- 1 root plugdev 180, 0 Sep 3 09:25 hiddev0

$ groups
users plugdev [...]

$ trezor-gpg-agent &
[1] 11223

$ gpg --sign /tmp/x
2021-09-03 09:41:19,129 ERROR Failed to enumerate WebUsbTransport. USBErrorAccess: LIBUSB_ERROR_ACCESS [-3] [__init__.py:126]
2021-09-03 09:41:19,132 ERROR handler failed: Trezor not connected [__init__.py:273]
Traceback (most recent call last):
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/__init__.py", line 265, in run_agent
handler.handle(conn)
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/agent.py", line 242, in handle
handler(conn, args)
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/agent.py", line 102, in <lambda>
b'HAVEKEY': lambda _, args: self.have_key(*args),
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/agent.py", line 205, in have_key
self.get_identity(keygrip=keygrip)
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/util.py", line 230, in wrapper
result = method(self, *args, **kwargs)
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/agent.py", line 170, in get_identity
verifying_key = self.client.pubkey(identity=identity, ecdh=ecdh)
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/gpg/client.py", line 27, in pubkey
with self.device:
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/device/interface.py", line 126, in __enter__
self.conn = self.connect()
File "/gnu/store/iy5xgmn2hdcnnl2d0n9zv15y2di7hl7n-python-trezor-agent-0.13.1/lib/python3.8/site-packages/libagent/device/trezor.py", line 51, in connect
raise interface.NotFoundError('{} not connected'.format(self))
libagent.device.interface.NotFoundError: Trezor not connected
gpg: Warning: not using 'Attila Lendvai <attila@lendvai.name>' as default key: No secret key
gpg: all values passed to '--default-key' ignored
gpg: keydb_search failed: Broken pipe
gpg: no default secret key: Broken pipe
gpg: signing failed: Broken pipe

how can i see/debug here which file has the wrong permissions? the python backtrace is not very useful without printing the variable values.

- attila
PGP: 5D5F 45C7 DFCD 0A39

[-- Attachment #2: Type: text/html, Size: 5404 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trezor-agent: using trezor as gpg key
  2021-09-03  7:55 trezor-agent: using trezor as gpg key Attila Lendvai
@ 2021-09-03 16:35 ` Danny Milosavljevic
  2021-09-06 10:12   ` Attila Lendvai
  0 siblings, 1 reply; 3+ messages in thread
From: Danny Milosavljevic @ 2021-09-03 16:35 UTC (permalink / raw)
  To: Attila Lendvai; +Cc: guix-devel@gnu.org

Hi,

On Fri, 03 Sep 2021 07:55:19 +0000
Attila Lendvai <attila@lendvai.name> wrote:

> i'm failing to configure my gnupg to use Trezor (an USB hw key store).
> $ ls -l /dev/usb/
[...]
> crw-rw---- 1 root plugdev 180, 0 Sep 3 09:25 hiddev0
> 
> $ groups
> users plugdev [...]
> 
> $ trezor-gpg-agent &
> [1] 11223
> 
> $ gpg --sign /tmp/x
> 2021-09-03 09:41:19,129 ERROR Failed to enumerate WebUsbTransport. USBErrorAccess: LIBUSB_ERROR_ACCESS [-3] [__init__.py:126]
> 2021-09-03 09:41:19,132 ERROR handler failed: Trezor not connected [__init__.py:273]
[...]
> libagent.device.interface.NotFoundError: Trezor not connected
> gpg: Warning: not using 'Attila Lendvai <attila@lendvai.name>' as default key: No secret key
> gpg: all values passed to '--default-key' ignored
> gpg: keydb_search failed: Broken pipe
> gpg: no default secret key: Broken pipe
> gpg: signing failed: Broken pipe
> 
> how can i see/debug here which file has the wrong permissions? the python backtrace is not very useful without printing the variable values.

You can

 strace -f gpg --sign /tmp/x 2>&1 |grep /dev

but I suspect that that won't show anything interesting because it's actually trezor-gpg-agent doing the access.

Maybe

   strace -f trezor-gpg-agent 2>&1 |grep /dev

?

In any case, since I did pretty much the same with a Ledger Nano, check the permissions of /dev/hidraw*.  After fixing the permissions to the latter file, it works fine as a regular user.

See also https://github.com/LedgerHQ/udev-rules/pull/8 for how to make the change permanent.

Even then, it only works fine once one logs out and back in, and at the time of login have the usb device already be connected.  I think that's a bug in our elogind (sigh).


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: trezor-agent: using trezor as gpg key
  2021-09-03 16:35 ` Danny Milosavljevic
@ 2021-09-06 10:12   ` Attila Lendvai
  0 siblings, 0 replies; 3+ messages in thread
From: Attila Lendvai @ 2021-09-06 10:12 UTC (permalink / raw)
  To: Danny Milosavljevic; +Cc: guix-devel@gnu.org

> strace -f trezor-gpg-agent 2>&1 |grep /dev

this helped a lot, thank you!

trezor-gpg-agent tries to open /dev/bus/usb/001/010, and a whole bunch
of files and dirs under /sys/bus/usb/devices/, i.e. it did *not* touch
/dev/hidraw0 nor /dev/usb/hiddev0.

the latter of which is not even covered by the trezor udev rules:

https://github.com/trezor/trezor-firmware/blob/master/common/udev/51-trezor.rules


> Even then, it only works fine once one logs out and back in, and at
> the time of login have the usb device already be connected. I think
> that's a bug in our elogind (sigh).


luckily this seems to work fine for trezor. i have rebooted with it
being unplugged, then plugged it in, and the group of the relevant
files under /dev/ were properly `plugdev`.

FTR, i didn't have my udev rules set up properly. i wrongly assumed
that it's enough to just install the trezord-udev-rules package, but
it's not.

the proper config was:

- install trezord-udev-rules system-wide

- add `plugdev` to your user's supplementary-groups

- append this to your services: (udev-rules-service 'trezor trezord-udev-rules #:groups '("plugdev"))

now, moving on to updating the trezor packages.

- attila
PGP: 5D5F 45C7 DFCD 0A39



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-09-06 10:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-03  7:55 trezor-agent: using trezor as gpg key Attila Lendvai
2021-09-03 16:35 ` Danny Milosavljevic
2021-09-06 10:12   ` Attila Lendvai

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).