Where can I find trezorlib/trezorctl signed by Satoshi Labs?

I’m looking for a release of trezorlib – more specifically, the trezorctl tool – that is signed with the latest Satoshi Labs PGP release signing key (at the time of writing, that’s the 2021 one, PGP fingerprint EB48 3B26 B078 A4AA 1B6F 425E E21B 6950 A2EC B65C).

I found trezorlib on Github (github. com/trezor/trezor-firmware/tree/master/python#readme) as part of the firmware, but firmware tag “releases” don’t come with a signature. I similarly found no signatures that can be verified in the PyPI supply chain (pypi. org/project/trezor).

(The weird formatting is because the forum won’t let me include links.)

There is currently no such thing.

This is arguably less important than the binary releases because trezorlib “runs from source” and you can audit the git commits that went into your checkout, without anything slipping by you.

But yeah, would be nice to have a signature on this too.

2 Likes

thank you for clarifying!

sure, this is less of a risk factor for trezorlib than for e.g. the Trezor Suite. for me the point is not (only) verifying the source, but having someone with a good reputation verifiably attest that the source wasn’t compromised.