mmgen-autosign: help text fixes, add security note

mmgen/data/version

@@ -1 +1 @@
-13.3.dev46
+13.3.dev47

mmgen/main_autosign.py

@@ -38,7 +38,8 @@ opts_data = {
 -c, --coins=c         Coins to sign for (comma-separated list)
 -I, --no-insert-check Don’t check for device insertion
 -l, --led             Use status LED to signal standby, busy and error
--m, --mountpoint=M    Specify an alternate mountpoint 'M' (default: {asi.dfl_mountpoint!r})
+-m, --mountpoint=M    Specify an alternate mountpoint 'M'
+                      (default: {asi.dfl_mountpoint!r})
 -M, --mnemonic-fmt=F  During setup, prompt for mnemonic seed phrase of format
                       'F' (choices: {mn_fmts}; default: {asi.dfl_mn_fmt!r})
 -n, --no-summary      Don’t print a transaction summary
@@ -49,25 +50,26 @@ opts_data = {
                       will not be printed.
 -q, --quiet           Produce quieter output
 -v, --verbose         Produce more verbose output
--w, --wallet-dir=D    Specify an alternate wallet dir (default: {asi.dfl_wallet_dir!r})
+-w, --wallet-dir=D    Specify an alternate wallet dir
+                      (default: {asi.dfl_wallet_dir!r})
 """,
 	'notes': """
 
-                              COMMANDS
+                               SUBCOMMANDS
 
 gen_key - generate the wallet encryption key and copy it to the mountpoint
-          (currently configured as {asi.mountpoint!r})
-setup   - generate the wallet encryption key and wallet
+          {asi.mountpoint!r} (as currently configured)
+setup   - generate both wallet encryption key and temporary signing wallet
 wait    - start in loop mode: wait-mount-sign-unmount-wait
 
 
-                             USAGE NOTES
+                               USAGE NOTES
 
-If invoked with no command, the program mounts a removable device containing
-unsigned MMGen transactions and/or message files, signs them, unmounts the
-removable device and exits.
+If invoked with no subcommand, this program mounts a removable device
+(typically a USB flash drive) containing unsigned MMGen transactions and/or
+message files, signs them, unmounts the removable device and exits.
 
-If invoked with 'wait', the program waits in a loop, mounting the removable
+If invoked with ‘wait’, the program waits in a loop, mounting the removable
 device, performing signing operations and unmounting the device every time it
 is inserted.
 
@@ -76,36 +78,58 @@ the status LED indicates whether the program is busy or in standby mode, i.e.
 ready for device insertion or removal.
 
 The removable device must have a partition labeled MMGEN_TX with a user-
-writable root directory and a directory named '/tx', where unsigned MMGen
-transactions are placed. Optionally, the directory '/msg' may also be created
-and unsigned message files created by `mmgen-msg` placed in this directory.
+writable root directory and a directory named ‘/tx’, where unsigned MMGen
+transactions are placed.  Optionally, the directory ‘/msg’ may be created
+and unsigned message files produced by ‘mmgen-msg’ placed there.
 
-On the signing machine the mount point (currently configured as {asi.mountpoint!r})
-must exist and /etc/fstab must contain the following entry:
+On both the signing and online machines the mountpoint ‘{asi.mountpoint}’
+(as currently configured) must exist and ‘/etc/fstab’ must contain the
+following entry:
 
-    LABEL='MMGEN_TX' /mnt/tx auto noauto,user 0 0
+    LABEL=MMGEN_TX {asi.mountpoint} auto noauto,user 0 0
 
-Transactions are signed with a wallet on the signing machine located in the wallet
-directory (currently configured as {asi.wallet_dir!r}) encrypted with a 64-character
-hexadecimal password saved in the file `autosign.key` in the root of the removable
-device partition.
+Signing is performed with a temporary wallet created in volatile memory in
+the directory ‘{asi.wallet_dir}’ (as currently configured).  The wallet is
+encrypted with a 32-byte password saved in the file ‘autosign.key’ in the
+root of the removable device’s filesystem.
 
-The password and wallet can be created in one operation by invoking the
-command with 'setup' with the removable device inserted.  In this case, the
-user will be prompted for a seed mnemonic.
+The password and temporary wallet may be created in one operation by invoking
+‘mmgen-autosign setup’ with the removable device inserted.  In this case, the
+temporary wallet is created from the user’s default wallet, if it exists and
+the user so desires.  If not, the user is prompted to enter a seed phrase.
 
-Alternatively, the password and wallet can be created separately by first
-invoking the command with 'gen_key' and then creating and encrypting the
+Alternatively, the password and temporary wallet may be created separately by
+first invoking ‘mmgen-autosign gen_key’ and then creating and encrypting the
 wallet using the -P (--passwd-file) option:
 
-    $ mmgen-walletconv -r0 -q -iwords -d{asi.wallet_dir} -p1 -P/mnt/tx/autosign.key -Llabel
+    $ mmgen-walletconv -iwords -d{asi.wallet_dir} -p1 -N -P{asi.mountpoint}/autosign.key -Lfoo
 
-Note that the hash preset must be '1'.  Multiple wallets are permissible.
-
-For good security, it's advisable to re-generate a new wallet and key for
-each signing session.
+Note that the hash preset must be ‘1’.  To use a wallet file as the source
+instead of an MMGen seed phrase, omit the ‘-i’ option and add the wallet
+file path to the end of the command line.  Multiple temporary wallets may
+be created in this way and used for signing (note, however, that for XMR
+operations only one wallet is supported).
 
 This command is currently available only on Linux-based platforms.
+
+
+                               SECURITY NOTE
+
+By placing wallet and password on separate devices, this program creates
+a two-factor authentication setup whereby an attacker must gain physical
+control of both the removable device and signing machine in order to sign
+transactions.  It’s therefore recommended to always keep the removable device
+secure, separated from the signing machine and hidden (in your pocket, for
+example) when not transacting.  In addition, since login access on the
+signing machine is required to steal the user’s seed, it’s good practice
+to lock the signing machine’s screen once the setup process is complete.
+
+As a last resort, cutting power to the signing machine will destroy the
+volatile memory where the temporary wallet resides and foil any attack,
+even if you’ve lost control of the removable device.
+
+Always remember to power off the signing machine when your signing session
+is over.
 """
 	},
 	'code': {