Sync with upstream trezor-agent; preserve OnlyKey features + add native Windows#16
Open
onlykey wants to merge 54 commits into
Open
Sync with upstream trezor-agent; preserve OnlyKey features + add native Windows#16onlykey wants to merge 54 commits into
onlykey wants to merge 54 commits into
Conversation
Remove unused imports and fix a small lint issue
Mark 'libagent' package as stable
Fix install step instruction
Update INSTALL.md
Add Support for ED25519 ssh-certificates
...as a supported device
Update description in setup.py
Update README to include Blockstream Jade
Add concurrency tag to CI
Bump CI actions and test on Python 3.12
Fixes romanz#491. Usage example: ## generate TREZOR-based SSH CA public key $ trezor-agent -v 'SSH Certificate Authority' > /etc/ssh/trezor-ca.pub $ echo 'TrustedUserCAKeys /etc/ssh/trezor-ca.pub' | sudo tee -a /etc/ssh/sshd_config $ sudo systemctl restart ssh ## generate user-specific SSH key and certify it using trezor-agent $ ssh-keygen -t ed25519 -f user-key $ trezor-agent -v 'SSH Certificate Authority' -- \ ssh-keygen -Us trezor-ca.pub -V '+10m' -I user-id -n user user-key.pub ... Signed user key user-key-cert.pub: id "user-id" serial 0 for user valid from 2024-11-23T20:25:00 to 2024-11-23T20:36:27 ## use the certificate to login ssh -v user@localhost -o CertificateFile=user-key-cert.pub -i user-key ... debug1: Will attempt key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit debug1: Will attempt key: user-key ED25519 SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit ... debug1: Offering public key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit debug1: Server accepts key: user-key-cert.pub ED25519-CERT SHA256:xdbgtQmUs5tUNf04f4Y3oQl5LGdBAMVjCH63R6EHH5Y explicit Authenticated to localhost ([::1]:22) using "publickey". ...
Fixing a merge conflict.
replace pkg_resources for python 3.12
Also, simplify invocation examples.
https://github.com/LedgerHQ/app-ssh-agent has beed deprecated in LedgerHQ/app-ssh-agent#48.
…v-id libagent: Add USB IDs for Jade Plus
Also support TS7.
Fix passphrase support on Trezor
Lookup GnuPG user ID (instead of assuming it's the first one)
…ative Windows Reverts PR #15 and merges upstream/master. Preserves all OnlyKey features: RSA, stored-key slots (--skey/--dkey), --import-pub, SSH-RSA wire format, onlykey.py backend. Adds native Windows support (run-agent.bat) for OnlyKey. Drops keepkey/ledger. Keeps package identity lib-agent 1.0.7. Removes stale pkg_resources/semver, duplicate imports, duplicate python-daemon dep, backports.shutil_which. All checks green: pycodestyle, isort, pydocstyle, pytest (81 pass), pylint 10.00.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings
onlykey/lib-agentup to date with upstreamromanz/trezor-agent(~50 commits) while preserving every OnlyKey-specific feature. Reverts PR #15 (the partialpkg_resourcesremoval) and performs a full feature-preserving merge rather than a reset, since upstream'sonlykey.pyis RSA-stubbed.Preserved OnlyKey features
sig_encode_rsasigning path--skey/--dkey(ECC1–16, RSA1–4)--import-pubfor loading an existing public keylibagent/device/onlykey.pybackendlib-agent1.0.7(distribution name; import package remainslibagent)New
run-agent.baton Windows (not just the Unixrun-agent.sh/ WSL path), sharing upstream's.sh/.bat-aware launcher logic pluswin_server.pyanddoc/README-Windows.mdfrom upstream.Removed
trezor_defs), per project scope.Cleanup
pkg_resources/ unusedsemverusage and duplicatefrom importlib import metadataimportssetup.py: dropped a duplicatepython-daemonpin and the stalebackports.shutil_which(Python-2 backport)Validation
All tox
py3gates pass locally: pycodestyle, isort, pydocstyle, pytest (81 passed), pylint 10.00/10. CI runs these across Python 3.8–3.13.Review notes
ssh/client.py—parse_ssh_blobwas restored to upstream's clean return dict; the OnlyKeysig_hashcall now selects the hash type inline (msg['hashalg']for SSHSIG, elsemsg['key_type']), which feeds the device the same bytes as before.onlykey.py— removed a no-opself_pubkey = self_pubkeyinecdh_with_pubkey. It did nothing as written; flagging in case it was an incomplete assignment.