trezor-agent
trezor-agent copied to clipboard
Adding support for Android
Would it be possible to install trezor-agent for use with gpg
in a shell on Android? If so, this requires root access, right?
I never tried to run this tool on Android :(
IIUC, the main issue will probably be to make sure that USB library (used by trezor-agent
) and UNIX-domain socket communication (with gpg
binary) work correctly.
What kind of an Android device would you like to run this tool on?
What kind of an Android device would you like to run this tool on?
Just the average Android phone, ARM powered.
Without knowing the technical details, I guess a user friendly implementation on Android could be done as follows:
-
Create a fork of the Termux terminal emulator.
-
For interfacing with the Trezor from the terminal emulator, use the Trezor Android library. That way, no root access for configuring access to USB devices is needed.
-
When the user needs to enter a pin, that happens in a touch friendly pop up window.
In the meantime, it could be interesting to get trezor-agent
running in a rooted phone.
Got it, thanks for the elaboration :)
Currently, it's a bit out of scope (for me), but I'd be happy to help to anyone to add this feature.
@feklee mentioned in another repo that adding trezor to open keychain would require custom code because they are not based on the openpgp standard.
Can you expand on that? Is it the trezor itself that isn't based on openpgp or is it the trezor-agent. It seems like integrating trezor onto open keychain would be the path of least resistance to android support.
@lpww The Trezor firmware does not implement the OpenPGP smart card API. For more information, see issue 160: Why is this (trezor-agent) needed, why is Trezor not compatible with gpg-agent?
Anyhow, in the meantime I tried two things:
-
Installing GnuPG with OpenPGP smart card support in Termux: success!
Now I can use my OpenPGP smart card to decrypt files in Termux. The pin I enter via the reader’s pin pad. The solution is a bit ugly, though, and the reader is big.
-
Installing
trezor-agent
: I got pretty far, until I got an error message about missinglibudev
, required by the HID API library. Well, this library is not available for Termux, and Android 8.1 doesn’t have udev. Now, as far as I understand things, it should be possible to interface with the Trezor without udev. Some options come to my mind:-
Edit
trezor-agent
to use a different HID API library, one that doesn’t need udev. -
Edit
trezor-agent
to directly interface with the Trezor usinglibusb
. -
Edit the HID API library to not use udev. Hard coding the Trezor device settings could be an option.
-
@feklee Thanks for the update!
it should be possible to interface with the Trezor without udev.
With the latest trezor-agent, you can use trezord-go, which can be connected via HTTP:
$ ./trezord-go &
$ trezor-agent [email protected] -vv
You can run trezord on another machine - and connect to it from your Android device.
Don’t understand it:
$ ./trezord-go & $ trezor-agent [email protected] -vv
This I would run on another machine? How do I connect trezor-agent
to the HTTP connection?
Anyhow, the whole point is to be able to interface with the Trezor on the go, i.e. without another machine around.
If I run ./trezord-go
on my phone, I get LIBUSB_ERROR_OTHER
. This is as an ordinary user. If I switch to root, then I get trezord is starting
without error. So this looks not too bad, although I am not too optimistic: The trezord-go
installation instructions do mention udev, and that clearly is not available on Android.
If I then start trezor-agent [email protected] -vv
also on my phone, I get:
2018-08-20 13:01:36,385 DEBUG parsed identity: {'proto': None, 'user': 'felix.klee', 'host': 'inka.de', 'port': None, 'path': None} [interface.py:30]
2018-08-20 13:01:36,386 DEBUG identity parts: ['ssh://', 'felix.klee@', 'inka.de'] [interface.py:46]
2018-08-20 13:01:36,386 INFO identity #0: <ssh://[email protected]|nist256p1> [__init__.py:274]
2018-08-20 13:01:36,421 WARNING DISPLAY not defined [ui.py:65]
2018-08-20 13:01:36,421 INFO using [b'ttyname=/dev/pts/0'] for pinentry options [ui.py:67]
2018-08-20 13:01:36,667 INFO Failed to import module hid: No module named 'hid' [__init__.py:83]
2018-08-20 13:01:36,951 DEBUG Starting new HTTP connection (1): 127.0.0.1:21325 [connectionpool.py:205]
POST /enumerate
Anyhow, the whole point is to be able to interface with the Trezor on the go, i.e. without another machine around.
You're right, my solution assumes that the TREZOR is connected to another machine :(
Can you take a look at https://github.com/trezor/trezor-android (maybe there is an easy way to connect from Python to this library)?
Can you take a look at https://github.com/trezor/trezor-android (maybe there is an easy way to connect from Python to this library)?
Yes, that can be interesting. It may be possible to write an add-on app similar to Termux-API, to provide an interface in Termux to the Trezor.
Hi there, just checking in to see if any progress has been made over the last 7 months?
https://github.com/trezor/trezord-go/issues/145