trezord-go
Trezor Communication Daemon aka Trezor Bridge.
Only compatible with Chrome (version 53 or later) and Firefox (version 55 or later).
We officially don't support Windows 7 and older; it could run, but we don't guarantee it.
What does trezord do and why it is needed?
Trezord is a tiny http server, that allows webpages (like Trezor Suite in web mode) to communicate with Trezor directly.
Our new devices now support WebUSB, which should eliminate the need for Trezor Bridge; however, there are some reasons, why bridge is still needed.
- Firefox does not allow WebUSB (see discussion here).
- Devices with old firmware (2018 and older) support only HID and not WebUSB.
- WebUSB does not allow synchronization of USB access between domains.
Install and run from source
trezord-go requires go >= 1.18.
git clone --recursive https://github.com/trezor/trezord-go.git
cd trezord-go
go build .
./trezord-go -h
On Linux don't forget to install the udev rules if you are running from source and not using pre-built packages.
Debug mode
When built with -tags debug
a debug mode is enabled. This disables CORS which is helpful for local development and when run inside a docker image.
Build release packages
Prerequisites:
- install
docker
- make sure
docker
is in$PATH
make build-release
; the installers are inrelease/installers
, binaries inrelease/binaries
The base docker images are all built for both ARM and Intel 64, so they should work on both x64 architectures and ARM.
The base images are quite big and can take a while to download (mainly the musl cross-compiler, about 1 GB) and build (mainly the Rust-based apple-codesign). However, it should be cached correctly and run fast next time.
Signing release packages
By default, the binaries and installers are unsigned and unnotarized. The build does not require any certificates or private keys, but produces unsigned binaries and packages.
The notarization and signing is all done in Docker, so it can run everywhere. (No need to run the mac notarization on macOS, etc.)
If you want to sign the packages, you need the following:
- For Linux, you need to put GPG private key into
release/linux/privkey.asc
. - For Windows, you need to put GPG private key into
release/windows/privkey.asc
and an authenticode torelease/windows/authenticode.key
andrelease/windows/authenticode.crt
. - For macOS:
- You need to put GPG private key into
release/macos/privkey.asc
. - Then you need to generate and put a lot of things for notarization and signing into
release/macos/certs
; see the details in top comment ofrelease/macos/release.sh
.
- You need to put GPG private key into
All those files are ignored by .gitignore
so they are not accidentally put into git.
Emulator support
Trezord supports emulators for all Trezor versions. However, you need to enable it manually; it is disabled by default. After enabling, services that work with emulator can work with all services that support trezord.
To enable emulator, run trezord with a parameter -e
followed by port, for every emulator with an enabled port:
./trezord-go -e 21324
You can disable all USB in order to run on some virtuaized environments, for example on CI:
./trezord-go -e 21324 -u=false
API documentation
trezord-go
starts a HTTP server on http://localhost:21325
. AJAX calls are only enabled from trezor.io subdomains.
Server supports following API calls:
url method |
parameters | result type | description |
---|---|---|---|
/ POST |
{version :ย string} |
Returns current version of bridge | |
/enumerate POST |
Array<{path :ย string, session :ย stringย |ย null}> |
Lists devices.path uniquely defines device between more connected devices. Two different devices (or device connected and disconnected) will return different paths.If session is null, nobody else is using the device; if it's string, it identifies who is using it. |
|
/listen POST |
request body: previous, as JSON | like enumerate |
Listen to changes and returns either on change or after 30 second timeout. Compares change from previous that is sent as a parameter. "Change" is both connecting/disconnecting and session change. |
/acquire/PATH/PREVIOUS POST |
PATH : path of devicePREVIOUS : previous session (or string "null") |
{session :ย string} |
Acquires the device at PATH . By "acquiring" the device, you are claiming the device for yourself.Before acquiring, checks that the current session is PREVIOUS .If two applications call acquire on a newly connected device at the same time, only one of them succeed. |
/release/SESSION POST |
SESSION : session to release |
{} | Releases the device with the given session. By "releasing" the device, you claim that you don't want to use the device anymore. |
/call/SESSION POST |
SESSION : session to callrequest body: hexadecimal string |
hexadecimal string | Both input and output are hexadecimal, encoded in following way: first 2 bytes (4 characters in the hexadecimal) is the message type next 4 bytes (8 in hex) is length of the data the rest is the actual encoded protobuf data. Protobuf messages are defined in this protobuf file and the app, calling trezord, should encode/decode it itself. |
/post/SESSION POST |
SESSION : session to callrequest body: hexadecimal string |
0 | Similar to call , just doesn't read response back. Also forces the message to be sent even if another call is in progress. Usable mainly for debug link and workflow cancelling on Trezor. |
/read/SESSION POST |
SESSION : session to call |
0 | Similar to call , just doesn't post, only reads. Usable mainly for debug link. |
Debug link support
Trezord has support for debug link.
To support an emulator with debug link, run
./trezord-go -ed 21324:21325 -u=false
this will detect emulator debug link on port 21325, with regular device on 21324.
To support WebUSB devices with debug link, no option is needed, just run trezord-go.
In the enumerate
and listen
results, there are now two new fields: debug
and debugSession
. debug
signals that device can receive debug link messages.
Session management is separate for debug link and normal interface, so you can have two applications - one controlling trezor and one "normal".
There are new calls:
/debug/acquire/PATH
, which has the same path as normalacquire
, and returns aSESSION
/debug/release/SESSION
releases session/debug/call/SESSION
,/debug/post/SESSION
,/debug/read/SESSION
work as with normal interface
The session IDs for debug link start with the string "debug".
Copyright
- (C) 2018 Karel Bilek, Jan Pochyla
- CORS Copyright (c) 2013 The Gorilla Handlers Authors, BSD license
- (c) 2017 Jason T. Harris (also see https://github.com/deadsy/libusb for comprehensive list)
- (C) 2017 Pรฉter Szilรกgyi (also see https://github.com/karalabe/hid for comprehensive list)
- (C) 2010-2016 Pete Batard [email protected] (also see https://github.com/pbatard/libwdi/ for comprehensive list)
- Licensed under LGPLv3