# Install trezor-agent with Homebrew, Nix

Hardware SSH/GPG agent for Trezor and Ledger. Version 0.13.0 via Homebrew; verified 2026-05-15.

## Install

```sh
sudo av install brew:trezor-agent
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install trezor-agent
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#trezor-agent
```

  Evidence: nixpkgs package indexes: trezor-agent from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

## Package facts

- **Package key:** brew:trezor-agent
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/trezor-agent>
- **Version:** 0.13.0
- **Source summary:** Hardware SSH/GPG agent for Trezor and Ledger
- **Homepage:** <https://github.com/romanz/trezor-agent>
- **Repository:** <https://github.com/romanz/trezor-agent>
- **Upstream docs:** <https://github.com/romanz/trezor-agent#readme>
- **License:** LGPL-3.0-only
- **Source archive:** <https://files.pythonhosted.org/packages/d9/b1/e533c417259dc112a067226d4c95cb772d7c090b696a61a065e1e41429d6/trezor_agent-0.13.0.tar.gz>
- **Last updated:** 2026-05-15T11:13:55Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- age-plugin-trezor (cli)
- trezor-agent (cli)
- trezor-gpg (cli)
- trezor-gpg-agent (cli)
- trezor-signify (cli)
- trezor_agent.py (cli)
- age-plugin-trezor (alias)
- trezor-agent (alias)
- trezor-gpg (alias)
- trezor-gpg-agent (alias)
- trezor-signify (alias)
- trezor_agent.py (alias)

## Dependencies

- certifi
- cryptography
- hidapi
- libsodium
- libusb
- python@3.14

## Build dependencies

- pkgconf
- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.13.0
- Package-manager updated: 2026-05-15
- Local data: ok
- Upstream repository: https://github.com/romanz/trezor-agent
- info: No cached GitHub release or tag data was available.
## Project history and usage

trezor-agent is a hardware-backed SSH, GPG, and age agent that grew out of early Trezor firmware support for using a hardware wallet as an identity and signing device. In package-manager culture it sits in the security-tools niche: a small CLI package that lets developers keep authentication and signing keys on a hardware device while still using familiar Unix tools.

### Project history

Trezor firmware 1.3.4, announced in September 2015, credited Roman Zeyde's work and introduced NIST P-256 support so a Trezor could be used for SSH login. The official instructions in that announcement installed `trezor_agent`, generated a public key with `trezor-agent`, and used the result in `authorized_keys`.

Firmware 1.3.6 extended the same idea beyond SSH by adding GPG key generation for signing email or documents and by pointing users to Trezor Agent for the user-space tooling. The repository later generalized the model into a shared `libagent` plus device-specific agents for Trezor, Blockstream Jade, and OnlyKey.

### Adoption history

The project was adopted by users who wanted hardware-backed developer identity without changing their normal SSH, Git, GPG, or password-store workflows. Its README lists signing email, Git commits, and software packages, managing passwords with `pass` or `passage`, and authenticating web tunnels and file transfers as representative uses.

Package-manager availability through Homebrew and Nix made it installable in the same way as other command-line security tools, which mattered because trezor-agent is usually used from shells, SSH subprocesses, Git commands, GPG, and systemd user units rather than as a standalone application.

### How it is used

For SSH, users derive a public key from an identity string, add that public key to remote access controls, and run commands or shells with `SSH_AUTH_SOCK` pointed at the agent. The official SSH guide also documents Git and Mercurial repository access, Git commit signing through SSH signatures, and optional systemd socket activation.

For GPG, users initialize a dedicated `GNUPGHOME` such as `~/.gnupg/trezor`, then continue using normal GPG-aware software while the agent asks the hardware device to sign or decrypt. The GPG guide covers commit and tag signing, password-store integration, file signing/decryption, and email use.

### Why package nerds care

trezor-agent is interesting to package nerds because it turns a cryptocurrency hardware wallet into a Unix authentication primitive. It bridges hardware-wallet APIs into the ecosystem of `ssh-agent`, GnuPG, Git signing, `pass`, systemd user sockets, and age plugins.

The package is also a good example of Homebrew packaging for a tool whose value is not a daemon or GUI, but a collection of small executables that plug into existing developer workflows: `trezor-agent`, `trezor-gpg`, `trezor-gpg-agent`, `trezor-signify`, and `age-plugin-trezor`.

### Timeline

- 2015: Trezor firmware 1.3.4 announcement documents SSH login with `trezor-agent`.
- 2016: Trezor firmware 1.3.6 announcement adds GPG signing support and references Trezor Agent.
- 2022: Official SSH guide documents Git commit signing with SSH signatures.
- 2026: GitHub repository lists `libagent/0.16.1` as the latest release on March 1, 2026.

### Related projects

- Related components include `libagent`, `jade_agent`, `onlykey-agent`, GnuPG, OpenSSH, age, pass, and Trezor firmware features for SSH/GPG operations.

### Sources

- <https://blog.trezor.io/trezor-firmware-1-3-4-enables-ssh-login-86a622d7e609>
- <https://blog.trezor.io/trezor-firmware-1-3-6-20a7df6e692>
- <https://github.com/romanz/trezor-agent#readme>
- <https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md>
- <https://github.com/romanz/trezor-agent/blob/master/doc/README-SSH.md>


## Security Notes

No matching local secret-handling manifest was found for trezor-agent. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ~/.ssh/agent.conf, ~/.gnupg/trezor
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** trezor-agent
- **Version Scheme:** 0
- **Revision:** 2
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Nix - trezor-agent: normalized package name match | nixpkgs package indexes: trezor-agent from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [hidapi](https://www.automicvault.com/pkg/brew/hidapi/) - Runtime dependency declared by Homebrew.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [keepkey-agent](https://www.automicvault.com/pkg/brew/keepkey-agent/) - Shares the same upstream source repository.
- [trezor-bridge](https://www.automicvault.com/pkg/brew/trezor-bridge/) - Shares av.db curated category or tags: cli, hardware-wallet, security, trezor.
- [aescrypt](https://www.automicvault.com/pkg/brew/aescrypt/) - Shares av.db curated category or tags: cli, cryptography, security.
- [aespipe](https://www.automicvault.com/pkg/brew/aespipe/) - Shares av.db curated category or tags: cli, cryptography, security.
- [age](https://www.automicvault.com/pkg/brew/age/) - Shares av.db curated category or tags: cli, cryptography, security.
- [age-plugin-se](https://www.automicvault.com/pkg/brew/age-plugin-se/) - Shares av.db curated category or tags: cli, cryptography, security.
- [age-plugin-yubikey](https://www.automicvault.com/pkg/brew/age-plugin-yubikey/) - Shares av.db curated category or tags: cli, cryptography, security.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: cli, cryptography, security.
- [onlykey-agent](https://www.automicvault.com/pkg/brew/onlykey-agent/) - Both packages touch the same language runtime or ecosystem. Shared terms: agent, certifi, cli, cryptography, gpg.

## Combined YAML source

View the package source record on GitHub. [combined/trezor-agent.yml](https://github.com/automic-vault/db/blob/main/combined/trezor-agent.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
