[qubes-users] Trezor error with qubes

mailinglist_bot · August 31, 2021, 2:53pm

Hello,

In my last message I mentioned my attempts to start using the Trezor with qubes.

I try to follow this guide, from the official trezor website: Qubes OS - Trezor Wiki

I use the sys-usb based on debian-10 and tried the same with sys-usb based on debian-10-minimal with similar error. My online AppVM in anon-whonix.

After I finished the procedures described in the guide, I installed the trezor Bridge and Udev rules in the sys-usb, and the Trezor Suite in the anon-whonix, with sudo dpkg -i required-package.

Once I start both sys-usb and anon-whonix and attach the trezor-T I get following error (suite is seen by the sys-usb):

2021-08-31T14:38:06.967Z - ERROR(process-trezord): Status error: request to http://127.0.0.1:21325/ failed, reason: connect ECONNREFUSED 127.0.0.1:21325

Do you see any workarounds to make it work?

mailinglist_bot · September 4, 2021, 8:51pm

have you seen this?

github.com

Qubes-Community/Contents/blob/e7443c960228c1abec9b97f2c2027dbc01f45f63/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md

## Setting up a Trezor cryptocurrency hardware wallet in Qubes

using a Fedora-based sys-usb VM and a Whonix WS-based application VM:
- navigate to the [Trezor instructions](https://wiki.trezor.io/Qubes_OS) page and read them. They are more frequently updated than this document.
- in dom0:
    `sudo vim /etc/qubes-rpc/policy/trezord-service`
add this line:
        `$anyvm $anyvm allow,user=trezord,target=sys-usb`
replace `sys-usb` with `disp-sys-usb` if you are using a disposable sys-usb

- in the sys-usb VM, or for disp-sys-usb, the VM on which it is based
  (in both cases, assumed to use a fedora-3x template):
	`sudo mkdir /usr/local/etc/qubes-rpc`
	`sudo vim /usr/local/etc/qubes-rpc/trezord-service`
	and add this line to trezord-service:
	`socat - TCP:localhost:21325`
- in the whonix-based application VM:
    `pip3 install --user trezor`
    `sudo vim /rw/config/rc.local`
	add this line (note the "&" at the end):

This file has been truncated. show original

mailinglist_bot · September 5, 2021, 10:28am

have you seen this?
Contents/docs/common-tasks/setup-trezor-cryptocurrency-hardware-wallet.md at e7443c960228c1abec9b97f2c2027dbc01f45f63 · Qubes-Community/Contents · GitHub

Actually I did do the process based on this guide. Everything is set up except bridge verification. The issue is that once I download the bridge from Trezor Suite App (Official) | Desktop & Web Crypto Management I cannot verify it with gpg2 --verify It returns:

[user@fedora-33-min-trezor ~]$ gpg2 --verify trezor-bridge-2.0.27-1.x86_64.rpm
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

If I try to use rpm directly, it returns this:

[user@fedora-33-min-trezor ~]$ sudo rpm -i trezor-bridge-2.0.27-1.x86_64.rpm
warning: trezor-bridge-2.0.27-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY
package trezor-bridge-2.0.27-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID b9a02a3d: NOKEY

Fedora min template has following packages installed: gnome-keyring qubes-core-agent-nautilus qubes-mgmt-salt-vm-connector qubes-usb-proxy and of course trezor-common

mailinglist_bot · September 25, 2021, 2:22pm

Ah, I think I forgot to verify. You need to install the public key so
you can verify the trezor-bridge RPM file.

Unfortunately I don't remember how to do this.