From 3999dd203ce700acb5930aa7a08440de0253ea1a Mon Sep 17 00:00:00 2001 From: The MMGen Project Date: Thu, 20 Apr 2023 17:07:35 +0000 Subject: [PATCH] mmgen-autosign: help text fixes, add security note --- mmgen/data/version | 2 +- mmgen/main_autosign.py | 84 +++++++++++++++++++++++++++--------------- 2 files changed, 55 insertions(+), 31 deletions(-) diff --git a/mmgen/data/version b/mmgen/data/version index a8b2572b..35fef34c 100644 --- a/mmgen/data/version +++ b/mmgen/data/version @@ -1 +1 @@ -13.3.dev46 +13.3.dev47 diff --git a/mmgen/main_autosign.py b/mmgen/main_autosign.py index 1814399c..f62277ad 100755 --- a/mmgen/main_autosign.py +++ b/mmgen/main_autosign.py @@ -38,7 +38,8 @@ opts_data = { -c, --coins=c Coins to sign for (comma-separated list) -I, --no-insert-check Don’t check for device insertion -l, --led Use status LED to signal standby, busy and error --m, --mountpoint=M Specify an alternate mountpoint 'M' (default: {asi.dfl_mountpoint!r}) +-m, --mountpoint=M Specify an alternate mountpoint 'M' + (default: {asi.dfl_mountpoint!r}) -M, --mnemonic-fmt=F During setup, prompt for mnemonic seed phrase of format 'F' (choices: {mn_fmts}; default: {asi.dfl_mn_fmt!r}) -n, --no-summary Don’t print a transaction summary @@ -49,25 +50,26 @@ opts_data = { will not be printed. -q, --quiet Produce quieter output -v, --verbose Produce more verbose output --w, --wallet-dir=D Specify an alternate wallet dir (default: {asi.dfl_wallet_dir!r}) +-w, --wallet-dir=D Specify an alternate wallet dir + (default: {asi.dfl_wallet_dir!r}) """, 'notes': """ - COMMANDS + SUBCOMMANDS gen_key - generate the wallet encryption key and copy it to the mountpoint - (currently configured as {asi.mountpoint!r}) -setup - generate the wallet encryption key and wallet + {asi.mountpoint!r} (as currently configured) +setup - generate both wallet encryption key and temporary signing wallet wait - start in loop mode: wait-mount-sign-unmount-wait - USAGE NOTES + USAGE NOTES -If invoked with no command, the program mounts a removable device containing -unsigned MMGen transactions and/or message files, signs them, unmounts the -removable device and exits. +If invoked with no subcommand, this program mounts a removable device +(typically a USB flash drive) containing unsigned MMGen transactions and/or +message files, signs them, unmounts the removable device and exits. -If invoked with 'wait', the program waits in a loop, mounting the removable +If invoked with ‘wait’, the program waits in a loop, mounting the removable device, performing signing operations and unmounting the device every time it is inserted. @@ -76,36 +78,58 @@ the status LED indicates whether the program is busy or in standby mode, i.e. ready for device insertion or removal. The removable device must have a partition labeled MMGEN_TX with a user- -writable root directory and a directory named '/tx', where unsigned MMGen -transactions are placed. Optionally, the directory '/msg' may also be created -and unsigned message files created by `mmgen-msg` placed in this directory. +writable root directory and a directory named ‘/tx’, where unsigned MMGen +transactions are placed. Optionally, the directory ‘/msg’ may be created +and unsigned message files produced by ‘mmgen-msg’ placed there. -On the signing machine the mount point (currently configured as {asi.mountpoint!r}) -must exist and /etc/fstab must contain the following entry: +On both the signing and online machines the mountpoint ‘{asi.mountpoint}’ +(as currently configured) must exist and ‘/etc/fstab’ must contain the +following entry: - LABEL='MMGEN_TX' /mnt/tx auto noauto,user 0 0 + LABEL=MMGEN_TX {asi.mountpoint} auto noauto,user 0 0 -Transactions are signed with a wallet on the signing machine located in the wallet -directory (currently configured as {asi.wallet_dir!r}) encrypted with a 64-character -hexadecimal password saved in the file `autosign.key` in the root of the removable -device partition. +Signing is performed with a temporary wallet created in volatile memory in +the directory ‘{asi.wallet_dir}’ (as currently configured). The wallet is +encrypted with a 32-byte password saved in the file ‘autosign.key’ in the +root of the removable device’s filesystem. -The password and wallet can be created in one operation by invoking the -command with 'setup' with the removable device inserted. In this case, the -user will be prompted for a seed mnemonic. +The password and temporary wallet may be created in one operation by invoking +‘mmgen-autosign setup’ with the removable device inserted. In this case, the +temporary wallet is created from the user’s default wallet, if it exists and +the user so desires. If not, the user is prompted to enter a seed phrase. -Alternatively, the password and wallet can be created separately by first -invoking the command with 'gen_key' and then creating and encrypting the +Alternatively, the password and temporary wallet may be created separately by +first invoking ‘mmgen-autosign gen_key’ and then creating and encrypting the wallet using the -P (--passwd-file) option: - $ mmgen-walletconv -r0 -q -iwords -d{asi.wallet_dir} -p1 -P/mnt/tx/autosign.key -Llabel + $ mmgen-walletconv -iwords -d{asi.wallet_dir} -p1 -N -P{asi.mountpoint}/autosign.key -Lfoo -Note that the hash preset must be '1'. Multiple wallets are permissible. - -For good security, it's advisable to re-generate a new wallet and key for -each signing session. +Note that the hash preset must be ‘1’. To use a wallet file as the source +instead of an MMGen seed phrase, omit the ‘-i’ option and add the wallet +file path to the end of the command line. Multiple temporary wallets may +be created in this way and used for signing (note, however, that for XMR +operations only one wallet is supported). This command is currently available only on Linux-based platforms. + + + SECURITY NOTE + +By placing wallet and password on separate devices, this program creates +a two-factor authentication setup whereby an attacker must gain physical +control of both the removable device and signing machine in order to sign +transactions. It’s therefore recommended to always keep the removable device +secure, separated from the signing machine and hidden (in your pocket, for +example) when not transacting. In addition, since login access on the +signing machine is required to steal the user’s seed, it’s good practice +to lock the signing machine’s screen once the setup process is complete. + +As a last resort, cutting power to the signing machine will destroy the +volatile memory where the temporary wallet resides and foil any attack, +even if you’ve lost control of the removable device. + +Always remember to power off the signing machine when your signing session +is over. """ }, 'code': {