PGP via Roman Zayde’s Trezor-agent

README.md

This gist belongs to the blog post PGP via Roman Zayde’s Trezor-agent.

Dockerfile

# Dockerfile

FROM python:3.12-slim

# Install system dependencies. You might need more packages (like gnupg2, libusb, etc.).
RUN apt-get update && apt-get install -y gnupg2 usbutils libusb-1.0-0-dev libudev-dev git curl && rm -rf /var/lib/apt/lists/*

# The working directory inside the container
WORKDIR /app

# Install python dependencies:
#  1) Trezor-agent requires pip, build tools, etc.
#  2) We'll clone and install "trezor-agent" from GitHub (romanz/trezor-agent).
RUN git clone https://github.com/romanz/trezor-agent.git /app/trezor-agent
RUN pip install --no-cache-dir -e /app/trezor-agent
RUN pip install --no-cache-dir -e /app/trezor-agent/agents/trezor

# Optionally, show what we have installed
RUN python --version
# might fail if no Trezor connected, but let's see usage.
RUN trezor-gpg --help || true

# By default, we won't configure GNUPGHOME in the Dockerfile, because
# each container can have its own GPG home directory (to keep them separate).
ENV GNUPGHOME=/app/.gnupg/trezor

# Example entrypoint: 
# If an environment variable $INIT_USER is provided, do "trezor-gpg init <INIT_USER>" one time.
# Otherwise, just run a shell.
COPY entrypoint.sh /app/entrypoint.sh
RUN chmod +x /app/entrypoint.sh

ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["bash"]

entrypoint.sh

#!/usr/bin/env bash
set -e

# If $INIT_USER is given and we have not yet initialized, do so.
# (You might add a check if $GNUPGHOME/trezor already exists, to avoid re-init.)
if [ -n "$INIT_USER" ]; then
  echo "Initializing Trezor GPG identity for '$INIT_USER'..."
  trezor-gpg init "$INIT_USER" -v --time=0
fi

# Finally, switch to whatever command was given (default: bash).
exec "$@"

Makefile

TAG_DATE=202503130854

trezor-agent-image:
	docker build -f Dockerfile --progress=plain --build-arg HTTP_PROXY=${HTTP_PROXY} --build-arg HTTPS_PROXY=${HTTPS_PROXY} --build-arg http_proxy=${HTTP_PROXY} --build-arg https_proxy=${HTTPS_PROXY} --tag trezor-agent-image:${TAG_DATE} --tag trezor-agent-image:latest .

trezor-agent-image-debug:
	DOCKER_BUILDKIT=0 docker build --rm=false -t trezor-agent:latest .
	# docker commit abcdef123456 debug_image
	# docker run --rm -it debug_image /bin/bash

trezor-agent-trevor-wikey:
	mkdir -p ./data && \
	mkdir -p ./trezor_identity_a && \
	docker run -it --rm --user $$(id -u):$$(id -g) --privileged -v /dev/bus/usb:/dev/bus/usb -v ./data:/app/data -v ./trezor_identity_a:/app/.gnupg -e INIT_USER="Trevor Wikey" trezor-agent-image

trezor-agent-alice-bob:
	mkdir -p ./data && \
	mkdir -p ./trezor_identity_a && \
	docker run -it --rm --user $$(id -u):$$(id -g) --privileged -v /dev/bus/usb:/dev/bus/usb -v ./data:/app/data -v ./trezor_identity_b:/app/.gnupg -e INIT_USER="Alice Bob" trezor-agent-image

# Then do "trezor-gpg decrypt ..." or "trezor-gpg sign ..." etc.
trezor-agent--trevor-wikey-again:
	docker run -it --rm --user $$(id -u):$$(id -g) --privileged -v /dev/bus/usb:/dev/bus/usb -v ./data:/app/data  -v ./trezor_identity_a:/app/.gnupg trezor-agent-image bash

# date | gpg --encrypt -r "trevor" | gpg --decrypt 2>/dev/null
# echo 123 | gpg --sign | gpg --verify
# echo "test secret" > ./data/test-secret.txt

# bash .gnupg/trezor/run-agent.sh

ssh:
	[email protected] && \
	remote_sock=$$( ssh "$$remote" "gpgconf --list-dirs" | sed -n 's/agent-socket://p' ) && \
	echo $$remote_sock && \
	ssh -o StreamLocalBindUnlink=yes -R $$remote_sock:./trezor_identity_a/trezor/S.gpg-agent $$remote

# gpg --decrypt test-secret.txt.gpg > test-secret.1.txt