gpg: use gpg.conf to automatically spawn trezor-gpg-agent

8 years ago · 683d24f4eb
parent 921e2954c1
commit 683d24f4eb
4 changed files with 31 additions and 46 deletions
--- a/scripts/gpg-init
+++ b/scripts/gpg-init
@ -5,15 +5,21 @@ USER_ID="${1}"
 HOMEDIR=~/.gnupg/trezor
 CURVE=${CURVE:="nist256p1"}  # or "ed25519"

+# Prepare new GPG home directory for TREZOR-based identity
 rm -rf "${HOMEDIR}"
 mkdir -p "${HOMEDIR}"
 chmod 700 "${HOMEDIR}"

-trezor-gpg -v create "${USER_ID}" -e "${CURVE}" > "${HOMEDIR}/pubkey.asc"
+# Generate new GPG identity and import into GPG keyring
+trezor-gpg-create -v "${USER_ID}" -e "${CURVE}" > "${HOMEDIR}/pubkey.asc"
 gpg2 --homedir "${HOMEDIR}" --import < "${HOMEDIR}/pubkey.asc"
+rm -f "${HOMEDIR}/S.gpg-agent"  # (otherwise, our agent won't be started automatically)

-# Mark new key as trusted in gpg.conf
+# Make new GPG identity with "ultimate" trust (via its fingerprint)
 FINGERPRINT=$(gpg2 --homedir "${HOMEDIR}" --list-public-keys --with-colons | sed --quiet --regexp-extended 's/^fpr:::::::::([0-9A-F]+):$/\1/p' | head -n1)
-KEY_ID="0x${FINGERPRINT:(-16)}"  # take last 8 bytes of the fingerprint
-echo "Marking ${KEY_ID} as trusted..."
-echo "trusted-key ${KEY_ID}" > "${HOMEDIR}/gpg.conf"
+echo "${FINGERPRINT}:6" | gpg2 --homedir "${HOMEDIR}" --import-ownertrust
+
+# Prepare GPG configuration file
+echo "# TREZOR-based GPG configuration
+agent-program $(which trezor-gpg-agent)
+" | tee "${HOMEDIR}/gpg.conf"
--- a/scripts/gpg-shell
+++ b/scripts/gpg-shell
@ -2,15 +2,6 @@
 set -eu

 export GNUPGHOME=~/.gnupg/trezor
-gpg2 --list-public-keys --with-keygrip
+gpg2 --list-public-keys

-killall -q trezor-gpg || true
-trezor-gpg -v agent &
-AGENT_PID=$!
-sleep 1
-
-echo "Starting GPG-enabled shell..."
-${SHELL} || true
-echo "Stopping GPG-enabled shell..."
-
-kill ${AGENT_PID}
+${SHELL}
--- a/setup.py
+++ b/setup.py
@ -34,6 +34,7 @@ setup(
    entry_points={'console_scripts': [
        'trezor-agent = trezor_agent.__main__:run_agent',
        'trezor-git = trezor_agent.__main__:run_git',
-        'trezor-gpg = trezor_agent.gpg.__main__:main',
+        'trezor-gpg-create = trezor_agent.gpg.__main__:main_create',
+        'trezor-gpg-agent = trezor_agent.gpg.__main__:main_agent',
    ]},
 )
--- a/trezor_agent/gpg/main.py
+++ b/trezor_agent/gpg/main.py
@ -73,34 +73,13 @@ def run_create(args):
    sys.stdout.write(protocol.armor(result, 'PUBLIC KEY BLOCK'))


-def run_agent(args):  # pylint: disable=unused-argument
-    """Run a simple GPG-agent server."""
-    sock_path = keyring.get_agent_sock_path()
-    with server.unix_domain_socket_server(sock_path) as sock:
-        for conn in agent.yield_connections(sock):
-            with contextlib.closing(conn):
-                try:
-                    agent.handle_connection(conn)
-                except Exception as e:  # pylint: disable=broad-except
-                    log.exception('gpg-agent failed: %s', e)
-
-
-def main():
-    """Main function."""
+def main_create():
+    """Main function for GPG identity creation."""
    p = argparse.ArgumentParser()
+    p.add_argument('user_id')
+    p.add_argument('-e', '--ecdsa-curve', default='nist256p1')
+    p.add_argument('-t', '--time', type=int, default=int(time.time()))
    p.add_argument('-v', '--verbose', default=0, action='count')
-    subparsers = p.add_subparsers()
-    subparsers.required = True
-    subparsers.dest = 'command'
-
-    create_cmd = subparsers.add_parser('create')
-    create_cmd.add_argument('user_id')
-    create_cmd.add_argument('-e', '--ecdsa-curve', default='nist256p1')
-    create_cmd.add_argument('-t', '--time', type=int, default=int(time.time()))
-    create_cmd.set_defaults(run=run_create)
-
-    agent_cmd = subparsers.add_parser('agent')
-    agent_cmd.set_defaults(run=run_agent)

    args = p.parse_args()
    util.setup_logging(verbosity=args.verbose)
@ -111,11 +90,19 @@ def main():
    existing_gpg = keyring.gpg_version().decode('ascii')
    required_gpg = '>=2.1.15'
    if semver.match(existing_gpg, required_gpg):
-        args.run(args)
+        run_create(args)
    else:
        log.error('Existing gpg2 has version "%s" (%s required)',
                  existing_gpg, required_gpg)


-if __name__ == '__main__':
-    main()
+def main_agent():
+    """Run a simple GPG-agent server."""
+    sock_path = keyring.get_agent_sock_path()
+    with server.unix_domain_socket_server(sock_path) as sock:
+        for conn in agent.yield_connections(sock):
+            with contextlib.closing(conn):
+                try:
+                    agent.handle_connection(conn)
+                except Exception as e:  # pylint: disable=broad-except
+                    log.exception('gpg-agent failed: %s', e)