Suggestions & Feedback from a new user‘s perspective

Feedback and suggestions
1

I just started using Trezor Suite for the first time recently.

I would like to flag the following areas as having potential for improvement, together with suggestions for improvement.

  1. “Latest Signing key is 2021”
  • On “Trezor Site → Download-> More” there are two old signing keys “Signing Key 2020” and “Signing Key 2021”
  • The old keys do work, but new ones would be better from a customer experience perspective (customers find it easier to trust things that are kept up to date)
  • The suggestion here would be to provide up to date signing keys (i.e. 2025 now and then updated every year thereafter)
  1. Nowhere to verify the signing key outside Trezor website
  • I could be missing something, but I found it difficult to verify the signing key outside the Trezor website. The purpose of providing signing keys in this way is to establish a ‘web of trust’ and to protect in the event Trezor website is attacked and the binaries and .gpg files replaced. If the fingerprint from the signing key is can be verified from another site then it protects against this.
  • The suggestion would be to provide a reference to the fingerprint of the signing key on another site and then mention this on Trezor website in the “Download → More (info)” section.
  1. “DigiCert Timestamp 2024”
  • When viewing the certificate details of ‘Trezor-Suite-25.5.2-win-x64.exe’ the timestamp shows as 2024.
  • Whilst the cert works, the suggestion would be to keep it up to date, for the same reasons mentioned above.
  • The suggestion would be to use an up-to-date timestamp, renewed each year. i.e. With a timestamp showing 2025.
  1. Win defender is currently flagging ‘Trezor-Suite-25.5.2-win-x64.exe’ as an “Unrecognised App” and displaying a big blue security warning window that you then have to go into and choose “run anyway”
  • Whilst this is mostly outside Trezor’s control, it doesn’t exactly inspire confidence for the average Win user, especially given Trezor Suite is such a security critical application.
  • The suggestion would be to work with MS to establish why this is happening and get it cleared

For what it’s worth, once I started using Trezor Suite I loved it. It seems to me to be very well designed and solidly coded.