Sign message with trezorctl, but signature stays on the Trezor

I’d like to sign messages with trezorctl and enter the message on the computer. however, I don’t want the Trezor to pass the signature back to the computer (as it happens by default with trezorctl sign-message), rather it should stay on the Trezor and be displayed only on its screen (Model T), preferably in the encoding of my choice (e.g. binary, hex, base64).

how can I do this?

1 Like

Write a custom firmware :woman_shrugging:

What is your usecase? Signature (of a known message no less) is not generally considered private data.

1 Like

the use case is what we’ve been discussing in the other thread (forum.trezor. io/t/generating-mnemonics-with-a-trezor/11578/2), using deterministic randomness as a source for generating child mnemonics. I had signatures in mind, and the problem is that going either route causes the (now-)secret to leave the Trezor. displaying it only on the screen would allow constructing a mnemonic with the help of a word list.

of course, implementing BIP85 (github. com/trezor/trezor-firmware/issues/1528) would make this unnecessary.

1 Like