This TKey device app implements X25519, the ECDH key agreement protocol for Curve25519. X25519 is implemented using Monocypher.
It is used by age-plugin-tkey which uses the Go package tkeyx25519 to communicate with this device app running on the TKey. But this can of course also be used by other parties wanting to do ECDH.
Note that this is work in progress. The implementation may change, and this will cause a change of identity of a TKey running this device app. This would mean that the public/private key no longer is the same, and decryption of data encrypted for the previous key pair will not be possible.
Based on https://github.com/tillitis/tkey-device-signer
You can build the device app locally by running build.sh, or checking out what it does.
For reproducibility the device app is typically built in a container, locking down the toolchain, and using specific versions of dependencies. Because if one single bit changes in the app.bin that will run on the TKey (for example due to a newer clang/llvm), then the identity (private/public key) of it will change.
You can use build-in-container.sh to do this
using our own container image (see
Containerfile
in the age-plugin-tkey repo). The clone of this repo that you're
sitting in will be mounted into the container and built, but
dependencies will be freshly cloned as they don't exist inside (it
runs build.sh
there). podman
is used for running the container
(packages: podman rootlesskit slirp4netns
).
The x25519/app.bin.sha512
contains the expected hash of the device
app binary when built using our container image which currently has
clang 17.