Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

issues with using trezor gpg subkey #340

Open
drbeefsupreme opened this issue Dec 11, 2020 · 0 comments
Open

issues with using trezor gpg subkey #340

drbeefsupreme opened this issue Dec 11, 2020 · 0 comments
Assignees
@romanz

Comments

@drbeefsupreme
Copy link

drbeefsupreme commented Dec 11, 2020
edited
Loading

Hi,

First, thank you for your excellent work on this project. I'm hoping I can assist with improving the subkey functionality.

I have been having a lot of trouble getting the subkey functionality to work with my Trezor Model T. First the context:

-Trezor Model T running firmware 2.3.0
-latest udev rules copied from trezor.io
-trezor-agent installed via pip3
-running Debian Stable with only the packages needed to run trezorctl, trezor-agent, gpg, and gpg2.

I am experiencing the same problems on my Debian workstation, but I made a special Debian Live USB just for working with PGP which I can share with you if you would find it helpful.

I am experiencing two main errors. One of them only seems to occur after the first one has happened at least once and I have more trouble reproducing, so let's start with the first one.

This error arises in the following circumstances: either when generating a PGP subkey for the first time, or after importing a keychain with a working PGP Trezor subkey and then trying to run trezor-gpg init "soandso" --subkey" again:

$ trezor-gpg init "Jonathan" --subkey --time=1607663696
2020-12-11 19:51:21,366 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:118]
2020-12-11 19:51:21,376 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=1607663696" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:35]
Traceback (most recent call last):
  File "/home/user/.local/bin/trezor-gpg", line 10, in <module>
    sys.exit(gpg_tool())
  File "/home/user/.local/bin/trezor_agent.py", line 6, in <lambda>
    gpg_tool = lambda: libagent.gpg.main(DeviceType)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 320, in main
    return args.func(device_type=device_type, args=args)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 182, in run_init
    export_public_key(device_type, args))
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/__init__.py", line 57, in export_public_key
    signer_func=signer_func)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/encode.py", line 101, in create_subkey
    unhashed_subpackets=unhashed_subpackets)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/protocol.py", line 271, in make_signature
    params = signer_func(digest=digest)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/keyring.py", line 257, in sign
    return sign_digest(sock=sock, keygrip=keygrip, digest=digest)
  File "/home/user/.local/lib/python3.7/site-packages/libagent/gpg/keyring.py", line 182, in sign_digest
    raise ValueError(prefix)
ValueError: b'ERR'

I haven't figured out exactly what makes creating the subkey work sometimes - but after many, many attempts, the main pattern I've noticed is that it usually seems to succeed with a fresh .gnupg folder, a short name, and a short password with no special characters (though I don't imagine the last two factors should really matter, its just the trend I've noticed). I've also never succeeded in making a subkey without using the --time argument to set it to be after the master key was created.

Regardless, once the subkey is created I have never been able to successfully use it. Perhaps I am not importing it correctly, but in the error message I shared above as well as in this video: https://asciinema.org/a/tMaOhI6sBJP9dV4seTDaYTwCq what I have done is:

export GNUPGHOME=
gpg --import master-key_private.asc
gpg --import master-key_public.asc
trezor-gpg init "Jonathan" --subkey --time=....

where Jonathan is the name on the primary uid of the master key.

If instead I try to set GNUPGHOME to .gnupg/trezor, then import the keychain, then run trezor-gpg init, I get an error saying that .gnupg/trezor already exists, which I believe is intended behavior.

Lastly, here is how I've attempted to encrypt/decrypt with a subkey. In this context, the trezor is the only encryption subkey:

export GNUPGHOME=~/.gnupg/trezor
gpg --import master-key_private.asc
gpg --import master-key_public.asc
gpg --import trezor-key_public.asc
gpg --import trezor-key_private-stub.asc
date | gpg2 --encrypt -r "Jonathan" | gpg2 --decrypt

Here, I am simply told that the secret key was not found.

Any pointers are appreciated!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanz romanz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romanz @drbeefsupreme