In order to use the default GPG pinentry program, install one of the following Linux packages:
$ apt install pinentry-{curses,gnome3,qt}
or (on macOS):
$ brew install pinentry
By default a standard GPG PIN entry program is used when entering your Trezor PIN, but it's difficult to use if you don't have a numeric keypad or want to use your mouse.
You can specify a custom PIN entry program such as trezor-gpg-pinentry-tk (and separately, a passphrase entry program) to match your workflow.
The below examples use trezor-gpg-pinentry-tk
but any GPG compatible PIN entry can be used.
Run
pip install trezor-gpg-pinentry-tk
Add the flag --pin-entry-binary trezor-gpg-pinentry-tk
to all calls to trezor-agent
.
To automatically use this flag, add the line pinentry=trezor-gpg-pinentry-tk
to ~/.ssh/agent.config
. Note this is currently broken due to this dependency issue.
If you run the SSH agent with Systemd you'll need to add --pin-entry-binary
to the ExecStart
command. You may also need to add this line:
Environment="DISPLAY=:0"
to the [Service]
section to tell the PIN entry program how to connect to the X11 server.
If you haven't completed initialization yet, run:
$ (trezor|keepkey|ledger)-gpg init --pin-entry-binary trezor-gpg-pinentry-tk "Roman Zeyde <roman.zeyde@gmail.com>"
to configure the PIN entry at the same time.
Otherwise, open $GNUPGHOME/trezor/run-agent.sh
and change the --pin-entry-binary
option to trezor-gpg-pinentry-tk
and run:
killall trezor-gpg-agent
Any problems running the PIN entry program with GPG should appear in $HOME/.gnupg/trezor/gpg-agent.log
.
You can get similar logs for SSH by specifying --log-file
in the SSH command line.
The passphrase is cached by the agent (after its first entry), which needs to be restarted in order to reset the passphrase:
$ killall trezor-agent # (for SSH)
$ killall trezor-gpg-agent # (for GPG)