Trezor-gpg over wsl

General topics
1

I try this instruction with ubuntu 18.4 and windows system for linux
trezor-dot-io/learn/a/what-is-gpg

I can’t make step
6. Initialize the agent GPG directory
$ trezor-gpg init "Username " -v

bridge see trezor

Trezor Bridge status

Version: 2.0.27 
  <p>Connected devices: 1</p>

but trezor-gpg say not connected

aborisov@MSKV-IT-12:~$ trezor-gpg init "aborisov" -v
/home/aborisov/.local/lib/python3.6/site-packages/libagent/age/__init__.py:22: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.exceptions import InvalidTag
2022-12-09 14:38:36,647 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:118]
2022-12-09 14:38:36,658 INFO         device name: trezor                                                                                  [__init__.py:126]
2022-12-09 14:38:36,659 INFO         GPG home directory: /home/aborisov/.gnupg/trezor                                                     [__init__.py:131]
2022-12-09 14:38:36,672 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:35]
Traceback (most recent call last):
  File "/home/aborisov/.local/bin/trezor-gpg", line 8, in <module>
    sys.exit(gpg_tool())
  File "/home/aborisov/.local/bin/trezor_agent.py", line 6, in <lambda>
    gpg_tool = lambda: gpg.main(DeviceType)
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 331, in main
    return args.func(device_type=device_type, args=args)
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 182, in run_init
    export_public_key(device_type, args))
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 39, in export_public_key
    verifying_key = c.pubkey(identity=identity, ecdh=False)
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/gpg/client.py", line 27, in pubkey
    with self.device:
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/device/interface.py", line 126, in __enter__
    self.conn = self.connect()
  File "/home/aborisov/.local/lib/python3.6/site-packages/libagent/device/trezor.py", line 52, in connect
    raise interface.NotFoundError('{} not connected'.format(self))
libagent.device.interface.NotFoundError: Trezor not connected
2

The WSL system cannot see the Bridge running in native Windows, see here for details.

The article recommends specifying the server by IP address, but trezorlib looks for Bridge on a hardcoded address, so that isn’t an option without modifying the source code.

Instead, a better choice for you might be to let WSL see the USB device directly. This is also not for the weak of heart, but the method is relatively well described.

That, or figure out how to forward connection for 127.0.0.1:21325 to the Windows host using some sort of firewall rules or whatever.

3

Bridre running on linux
and yes, i use usbipd-win

This is part of page what i get from LINUX, not windows

Trezor Bridge status

Version: 2.0.27

  <p>Connected devices: 1</p>
4

$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 1209:53c1 InterBiometrics
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

InterBiometrics = trezor

5

Oh ok, didn’t occur to me that you would run the Bridge from Linux.

Anyway, what does trezorctl -v list say?
How about: http post 127.0.0.1:21325/enumerate Origin:https://python.trezor.io ?
(you might have to apt install httpie for the latter one)

6

$ trezorctl -v list
/usr/lib/python3/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography import x509
Traceback (most recent call last):
File “/home/aborisov/.local/bin/trezorctl”, line 5, in
from trezorlib.cli.trezorctl import cli
File “/home/aborisov/.local/lib/python3.6/site-packages/trezorlib/cli/trezorctl.py”, line 31, in
from . import (
File “/home/aborisov/.local/lib/python3.6/site-packages/trezorlib/cli/firmware.py”, line 23, in
import requests
File “/usr/lib/python3/dist-packages/requests/init.py”, line 84, in
from urllib3.contrib import pyopenssl
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 46, in
import OpenSSL.SSL
File “/usr/lib/python3/dist-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/usr/lib/python3/dist-packages/OpenSSL/crypto.py”, line 1550, in
class X509StoreFlags(object):
File “/usr/lib/python3/dist-packages/OpenSSL/crypto.py”, line 1570, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module ‘lib’ has no attribute ‘X509_V_FLAG_CB_ISSUER_CHECK’

$ http post deleted21325/enumerate Origin:https://deleted
/usr/lib/python3/dist-packages/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography import x509
Traceback (most recent call last):
File “/usr/bin/http”, line 11, in
load_entry_point(‘httpie==0.9.8’, ‘console_scripts’, ‘http’)()
File “/usr/lib/python3/dist-packages/httpie/main.py”, line 10, in main
from .core import main
File “/usr/lib/python3/dist-packages/httpie/core.py”, line 17, in
import requests
File “/usr/lib/python3/dist-packages/requests/init.py”, line 84, in
from urllib3.contrib import pyopenssl
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 46, in
import OpenSSL.SSL
File “/usr/lib/python3/dist-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/usr/lib/python3/dist-packages/OpenSSL/crypto.py”, line 1550, in
class X509StoreFlags(object):
File “/usr/lib/python3/dist-packages/OpenSSL/crypto.py”, line 1570, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module ‘lib’ has no attribute ‘X509_V_FLAG_CB_ISSUER_CHECK’

C:\Users\a.borisov> usbipd wsl attach -i 1209:53C1
usbipd: info: Device with hardware-id ‘1209:53c1’ found at busid ‘3-3’.
usbipd: warning: Unknown USB filter ‘klfltdev.KES-21-8’ may be incompatible with this software; ‘bind --force’ may be required.

is it ok?

7

UPD: I make
C:\Users\a.borisov> usbipd bind --busid 3-3 --force
now no warning

usbipd: warning: Unknown USB filter ‘klfltdev.KES-21-8’ may be incompatible with this software; ‘bind --force’ may be required.

But nothing has changed

8

Your Python, PyOpenSSL and libopenssl are disagreeing with each other.

you might try to google the error at the end:

AttributeError: module ‘lib’ has no attribute ‘X509_V_FLAG_CB_ISSUER_CHECK’

Here is a thread that might offer some hints: openssl - module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK' - Ask Ubuntu

9

When I try to follow the recommendations in these instructions, I quickly come to a snowball of changes. I can do all this, but I suspect that after that it still won’t work and when I contact you with a problem, you will say it was necessary to do it according to the instructions, and not according to incomprehensible instructions from the Internet … but I will try.

11

I fix by
pip3 install pyOpenSSL --upgrade

$ http post *deleted* Origin:*deleted*
/home/aborisov/.local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.hazmat.bindings.openssl.binding import Binding
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *deleted*
Content-Length: 94
Content-Type: text/plain; charset=utf-8
Date: Tue, 13 Dec 2022 06:26:42 GMT

[
    {
        "debug": false,
        "debugSession": null,
        "path": "6",
        "product": 21441,
        "session": null,
        "vendor": 4617
    }
]

But now i have stop freez with no errors

$ trezor-gpg init "aborisov" -v
/home/aborisov/.local/lib/python3.6/site-packages/libagent/age/__init__.py:22: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.exceptions import InvalidTag
2022-12-13 09:26:59,412 WARNING      This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [__init__.py:118]
2022-12-13 09:26:59,421 INFO         device name: trezor                                                                                  [__init__.py:126]
2022-12-13 09:26:59,422 INFO         GPG home directory: /home/aborisov/.gnupg/trezor                                                     [__init__.py:131]
2022-12-13 09:26:59,436 WARNING      NOTE: in order to re-generate the exact same GPG key later, run this command with "--time=0" commandline flag (to set the timestamp of the GPG key manually). [__init__.py:35]
2022-12-13 09:26:59,559 INFO         Enumerating HidTransport: found 0 devices                                                            [__init__.py:138]
2022-12-13 09:26:59,572 INFO         Enumerating BridgeTransport: found 1 devices                                                         [__init__.py:138]
2022-12-13 09:26:59,577 INFO         Enumerating UdpTransport: found 0 devices                                                            [__init__.py:138]
2022-12-13 09:26:59,595 INFO         Enumerating WebUsbTransport: found 1 devices                                                         [__init__.py:138]
2022-12-13 09:26:59,595 INFO         creating client instance for device: bridge:6                                                        [client.py:115]
12

this frozen too

$ trezorctl -v list
/home/aborisov/.local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
  from cryptography.hazmat.bindings.openssl.binding import Binding
[2022-12-13 09:34:49,189] trezorlib.transport INFO: Enumerating HidTransport: found 0 devices
[2022-12-13 09:34:49,190] trezorlib.transport INFO: Enumerating UdpTransport: found 0 devices
[2022-12-13 09:34:49,220] trezorlib.transport INFO: Enumerating WebUsbTransport: found 1 devices
[2022-12-13 09:34:49,230] trezorlib.transport INFO: Enumerating BridgeTransport: found 1 devices
[2022-12-13 09:34:49,230] trezorlib.client INFO: creating client instance for device: webusb:001:1
[2022-12-13 09:34:49,231] trezorlib.client DEBUG: sending message: Initialize
Initialize (0 bytes) {
}
[2022-12-13 09:34:49,272] trezorlib.client DEBUG: received message: Features (227 bytes)
[2022-12-13 09:34:49,272] trezorlib.client DEBUG: sending message: EndSession
EndSession (0 bytes) {
}
[2022-12-13 09:34:49,513] trezorlib.client DEBUG: received message: Success
Success (2 bytes) {
    message: '',
}
webusb:001:1 - (unnamed) [Trezor T, 0D239A9B8FEC31E2D4E4DB76]
[2022-12-13 09:34:49,514] trezorlib.client INFO: creating client instance for device: bridge:6
[2022-12-13 09:34:49,856] trezorlib.client DEBUG: sending message: Initialize
Initialize (0 bytes) {
}
13

This looks like trezorctl can talk to your Trezor without bridge, but talking through bridge fails for whatever reason.

Try stopping bridge and doing the gpg thing without it.

14

I kill trezord. Is it trezor-bridge?
now
$ trezorctl -v list
/home/aborisov/.local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.bindings.openssl.binding import Binding
[2022-12-13 10:28:38,379] trezorlib.transport INFO: Enumerating HidTransport: found 0 devices
[2022-12-13 10:28:38,382] trezorlib.transport INFO: Enumerating UdpTransport: found 0 devices
[2022-12-13 10:28:38,413] trezorlib.transport INFO: Enumerating WebUsbTransport: found 1 devices
[2022-12-13 10:28:38,419] trezorlib.transport INFO: Enumerating BridgeTransport: found 0 devices
[2022-12-13 10:28:38,420] trezorlib.client INFO: creating client instance for device: webusb:001:1
[2022-12-13 10:28:38,422] trezorlib.client DEBUG: sending message: Initialize
Initialize (0 bytes) {
}
[2022-12-13 10:28:38,465] trezorlib.client DEBUG: received message: Features (227 bytes)
[2022-12-13 10:28:38,466] trezorlib.client DEBUG: sending message: EndSession
EndSession (0 bytes) {
}
[2022-12-13 10:28:38,704] trezorlib.client DEBUG: received message: Success
Success (2 bytes) {
message: ‘’,
}
webusb:001:1 - (unnamed) [Trezor T, 0D239A9B8FEC31E2D4E4DB76]

$ trezor-gpg init “aborisov” -v
/home/aborisov/.local/lib/python3.6/site-packages/libagent/age/init.py:22: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidTag
2022-12-13 10:29:40,828 WARNING This GPG tool is still in EXPERIMENTAL mode, so please note that the API and features may change without backwards compatibility! [init.py:118]
2022-12-13 10:29:40,855 INFO device name: trezor [init.py:126]
2022-12-13 10:29:40,856 INFO GPG home directory: /home/aborisov/.gnupg/trezor [init.py:131]
2022-12-13 10:29:40,891 WARNING NOTE: in order to re-generate the exact same GPG key later, run this command with “–time=0” commandline flag (to set the timestamp of the GPG key manually). [init.py:35]
2022-12-13 10:29:41,033 INFO Enumerating WebUsbTransport: found 1 devices [init.py:138]
2022-12-13 10:29:41,042 INFO Enumerating HidTransport: found 0 devices [init.py:138]
2022-12-13 10:29:41,047 INFO Enumerating BridgeTransport: found 0 devices [init.py:138]
2022-12-13 10:29:41,048 INFO Enumerating UdpTransport: found 0 devices [init.py:138]
2022-12-13 10:29:41,048 INFO creating client instance for device: webusb:001:1 [client.py:115]

15

UPD
AND trezor(hardware) writed me Enter passphrase(on his screen)

passphrase for what?

16

I suggest you learn about the Passphrase feature: https://trezor.io/learn/a/passphrases-and-hidden-wallets

Same thing applies to GPG keys and other features.

17

This is strange.

  1. when I just turned off, but did not remove trezor-bridge during trezor gpg init, it asked for a passphrase 2 times. And 4 times asked for confirmation. After deletion, it asks 1 time for a passphrase and 2 times for confirmation.
    what behavior is correct?
  2. I read that the passphrase only applies to wallets. In other places, for example Trezor-password manager, it does not work. Is this information out of date?

P.S. At first look, the initialization was successful. I start testing.

18

As I understand trezor-gpg init generates a key pair (public and secret)
Can I generate a second key pair without deleting the first one?
I get an error
GPG home directory /home/aborisov/.gnupg/trezor exists, remove it manually if required
I want to be able to encrypt with different keys the way it is done in Trezor Password Manager

The final goal is to get the functionality of the Trezor Password Manager without access to the Internet.

19

It’s imprecise.
Passphrase does not apply to FIDO/U2F/webauthn – that is a deliberate design on firmware side.
Passphrase also does not apply to Trezor Password Manager – that is because TPM was designed to provide the empty passphrase automatically. The corresponding Trezor functionality uses the passphrase same as everything besides FIDO.
In general, unless an app is deliberately designed not to use the passphrase, it will be available and behave the same way as the passphrase for hidden wallets.

That is difficult to say. It could be that trezor-gpg requested two different functions and a bug prevented the passphrase from being retained. Or possibly the communication with Bridge went through after all, and trezor-gpg tried to use “both” Trezors that it sees and asked the passphrase for each.

That I don’t know. Maybe a different forum user will pick up the slack.
In general Trezor is capable of generating as many keys as you like. So it is up to trezor-gpg to make that functionality available somehow.

20

I update trezor from 2.5.2 to 2.5.3
now
trezorctl -v list
/home/aborisov/.local/lib/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.hazmat.bindings.openssl.binding import Binding
[2022-12-13 15:37:42,670] trezorlib.transport INFO: Enumerating HidTransport: found 0 devices
[2022-12-13 15:37:42,671] trezorlib.transport INFO: Enumerating UdpTransport: found 0 devices
[2022-12-13 15:37:42,695] trezorlib.transport ERROR: Failed to enumerate WebUsbTransport. USBErrorAccess: LIBUSB_ERROR_ACCESS [-3]
[2022-12-13 15:37:42,701] trezorlib.transport INFO: Enumerating BridgeTransport: found 0 devices
But red string “no usb connection” dissapear when i usbipd wsl attach --busid 3-3

and lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 016: ID 1209:53c1 InterBiometrics
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

21

I installed a trezor bridge. Didn’t work.
I removed the trezor bridge. Did work.
Magic.