Re: trezor-agent: using trezor as gpg key

[Danny Milosavljevic]

Hi,

On Fri, 03 Sep 2021 07:55:19 +0000
Attila Lendvai <attila@lendvai.name> wrote:

> i'm failing to configure my gnupg to use Trezor (an USB hw key store).
> $ ls -l /dev/usb/
[...]
> crw-rw---- 1 root plugdev 180, 0 Sep 3 09:25 hiddev0
> 
> $ groups
> users plugdev [...]
> 
> $ trezor-gpg-agent &
> [1] 11223
> 
> $ gpg --sign /tmp/x
> 2021-09-03 09:41:19,129 ERROR Failed to enumerate WebUsbTransport. 
> USBErrorAccess: LIBUSB_ERROR_ACCESS [-3] [__init__.py:126]
> 2021-09-03 09:41:19,132 ERROR handler failed: Trezor not connected 
> [__init__.py:273]
[...]
> libagent.device.interface.NotFoundError: Trezor not connected
> gpg: Warning: not using 'Attila Lendvai <attila@lendvai.name>' as default 
> key: No secret key
> gpg: all values passed to '--default-key' ignored
> gpg: keydb_search failed: Broken pipe
> gpg: no default secret key: Broken pipe
> gpg: signing failed: Broken pipe
> 
> how can i see/debug here which file has the wrong permissions? the python 
> backtrace is not very useful without printing the variable values.

You can

 strace -f gpg --sign /tmp/x 2>&1 |grep /dev

but I suspect that that won't show anything interesting because it's actually 
trezor-gpg-agent doing the access.

Maybe

   strace -f trezor-gpg-agent 2>&1 |grep /dev

?

In any case, since I did pretty much the same with a Ledger Nano, check the 
permissions of /dev/hidraw*.  After fixing the permissions to the latter file, 
it works fine as a regular user.

See also https://github.com/LedgerHQ/udev-rules/pull/8 for how to make the 
change permanent.

Even then, it only works fine once one logs out and back in, and at the time of 
login have the usb device already be connected.  I think that's a bug in our 
elogind (sigh).