Nostr Web Client

Just used the new tool in Sparrow Wallet to verify the latest release of Trezor Suite. nostr:npub1hea99yd4xt5tjx8jmjvpfz2g5v7nurdqw7ydwst0ww6vw520prnq6fg9v2 this is very cool.

Here's how to do it.

1. Download the latest release + signature files from trezor.io

2. Open Sparrow -> Tools -> Verify Download

3. In the Signature field, select the signature file from your Downloads folder.

4. In the Manifest field, select the release file - this will import the appropriate metadata from the release file for the manifest data.

Pass or fail. Rinse & repeat.

🤌

Reply to this note

Please Login to reply.

Discussion

Kevin Ravens₿erg ⚡️ ☁️ 1y ago 💬 1

You can drag and drop into the field too right?

Leo Wandersleb 1y ago

But why use Trezor Suite if you have Sparrow? I'm confused.

I see avoidance of single points of failure one of the key aspects of hardware wallets and to not use the hardware wallet provider's companion app is important to remove the provider as single point of failure. Yes, Trezor firmware is reproducible and has many eyes on the code as there are many clones but nobody would be in a better position to know about flaws exploitable by companion software than the provider itself and the companion software - Trezor Suite in this case - has nowhere near as many eyes on the code as the firmware. Therefore I don't use it and wish Sparrow would rather facilitate updating the Trezor firmware which sadly is something that I still do with the Trezor Suite.

MTCᵍᵐ 1y ago

That is a fair question - and my answer is that some folks are used to using it and don't want to change. Old habits die hard, especially for older folks. What Craig has done with this is provided people with a consumer-grade experience for verifying software. I hear your concerns, but this will likely help people to avoid downloading malware, and give them some exposure to the cool stuff available in Sparrow. The fact that it can be used for verifying 3rd party software is cool af, IMO.

Leo Wandersleb 1y ago

Maybe Craig can help me here? ...

Leo Wandersleb 1y ago

Ok, WTF? So I unlocked the Trezor with Sparrow and then went to https://suite.trezor.io/web/ to see if it works there. It indeed worked and showed some sats ... without having to confirm anything at all on the Trezor. That is a bit scary. Once unlocked, does it surrender the xpubs to all apps running on my system? That is scary and the first time I notice this happening.

hodlbod 1y ago

Yeah, I think this recently changed. Trezor used to require me to enter my pin before showing balances, now they always show, even after a restart. I'm currently in the process of switching to ColdCard.

Leo Wandersleb 1y ago

Given that Trezor was not updated in probably 6 years, it must always have been like this. With such API calls being able without any interaction on the device, I wonder if that could be used to hammer the device with these requests and use timing information to extract secrets over millions of API requests.

originalfake 1y ago

That‘s very cool. Thanks nostr:npub1hea99yd4xt5tjx8jmjvpfz2g5v7nurdqw7ydwst0ww6vw520prnq6fg9v2