This Python library enables easy communication with TAPSIGNER™, SATSCARD™ and SATSCHIP™.
Repository contents:
- The protocol specification
- Python library for speaking the protocol
- Supporting documentation
Examples/Libraries in other languages:
- C++ https://github.com/nunchuk-io/tap-protocol
- React Native https://github.com/bithyve/cktap-protocol-react-native
- ffi https://github.com/thunderbiscuit/cktap-ffi
- Rust https://github.com/notmandatory/rust-cktap
Recommended NFC desktop reader
- HID Omnikey "CL5022 CL" works well in Windows, Linux and MacOS.
- https://store.coinkite.com/store/nfc-read-b
First update pip
to latest version and install wheel (otherwise
legacy setup.py install will be used)
pip install -U pip wheel
Install cktap
, our helpful command-line program, with just:
pip install 'coinkite-tap-protocol[cli]'
OR
If you just want the Python library by itself, use: pip install coinkite-tap-protocol
- Do a git checkout
- Make a fresh virtualenv (suggested)
- Run:
# only library
pip install --editable .
# or with cktap cmdline utility
pip install --editable '.[cli]'
# for testing purposes
pip install --editable '.[test]'
This installs cktap
and any changes you make will be immediately
reflected in the installed version.
- Python 3.6 or higher
pyscard
for access to smart card readers- A supported smart card reader. In theory, all smart card USB CCID class-compliant
devices should work. Our observations:
- ACS ACR1252U - okay and widely available, and for sale by Coinkite
- Identiv uTrust 3700F - reliable and looks nice
- HID Omnikey 5022 CL (not 5021) - fast, cute, and small
- HID OmniKey 5427 CK - tested Gen1 device, fast, reliable, must disable keyboard wedge via EEM interface on device at
http://192.168.63.99/
, when correct will identify as VID:PID076b:5427
- NOT recommended: ACS ACR122U. It can work, and is widely available, but is not reliable.
- See
requirements.txt
file for python packages needed.
Installing pyscard
require SWIG and libpcsclite:
# run below before installing dependencies with pip
# tested on Ubuntu 20.04 (only)
sudo apt-get install swig
sudo apt-get install libpcsclite-dev
# some newer debian-based distros (ubuntu24) require:
sudo apt-get install pcscd
sudo systemctl enable pcscd
Installing pyscard
requires SWIG and the pcsc-lite library:
# run below before installing dependencies with pip
# tested on Fedora 37 (only)
sudo dnf install swig pcsc-lite-devel
Installing pyscard
may require SWIG:
- Download .zip from http://swig.org.
- Extract and move into
C:\Program Files
. - Add that to system PATH.
- Test:
swig
at command prompt should work. - Run
pip install pyscard
.
Tested against 13.0-RELEASE.
pkg install py38-pyscard py38-coincurve
- follow devfs.conf instructions
- install usr/ports/devel/libccid
- add
pcscd_enable="YES"
to rc.conf
pip install base58
pip install -e git+https://github.com/coinkite/python-bip32.git@iss27#egg=bip32
- Make your virtualenv with:
virtualenv ENV --system-site-packages
pkg install py38-secp256k1
(pulls a tragic set of dependencies)
NOTE: SWIG is needed to build wheel for pyscard
. You may need to run pkg install swig
.
Python code for an emulator which communicates with cktap
via a local Unix socket. It's provided without warranty and isn't
installed by default. cktap
prefers to speak to the emulator
if it is running.
See README for emulator.
>>> from cktap.transport import find_first
>>> card = find_first()
>>> print(card)
<CKTapCard SATSCARD via NFC: 26NKY-RWPK4-65YR7-BU4WL>
>>> card.address()
'bc1q7h0u5yn8y4pajn94ze4gnhz487c8ysvekusqj5'
>>> from cktap.transport import find_first
>>> card = find_first()
>>> print(card)
<CKTapCard TAPSIGNER via EMU: 2LNJA-NIGMW-Q5AKC-KD5Q2>
>>> card.get_xpub('123456')
'xpub6DXuQW17LykdXFyEtRrq9Z3MAegRPLAwFovT34afzK6NNHkwJrWCs4Knhrjf1U22QSSbykyzpfRsDZc9ryk9b6VUfGp89vkQw6YjY4CaEQ3'
Any command which reveals private key info or changes the state of the card requires the 6-digit numeric code from the back of the card (called CVC, spend code, or Starting PIN Code on TAPSIGNER). You can provide this on the command line, or omit it. Commands requiring the CVC but entered without it will prompt you for the CVC. Some commands display limited information without the CVC. To see more detail, include the CVC on the command line.
cktap --version
- Get the version of cktap library
cktap list
- List all cards detected on any reader attached
cktap certs
- Check this card was made by Coinkite
cktap status
- Shows status info.
cktap setup
- Tells card to pick private key. Chain code can be provided by user. User can verify that provided chain code was used.
- called only once on TAPSIGNER, and for each slot setup on SATSCARD
cktap open
- Opens Bitcoin Core or your other wallet by activating the BITCOIN:addr URL scheme for the current slot of the card.
cktap qr
- Displays deposit QR code.
cktap unseal
- Unseals the current slot and shows the WIF for funds sweeping.
- WIF must be imported into a blockchain-aware wallet.
cktap balance
- Calls a web service to get UTXO and show current Bitcoin balance.
- Uses
tord
(if running locally) to proxy the request.
cktap xpub
- Shows the XPUB in effect.
cktap backup
- Saves the card's XPRV into an AES-128-CTR encrypted file with the current date.
cktap change OLDPINCODE NEWPINCODE
- Use to change the PIN on the card
cktap path
- Shows the derivation path in effect, by default:
m/84h/0h/0h
cktap upload -i /path/to/image.jpg
- collects artwork meta data (title, description, etc) and uploads signed result to public server
% cktap
Usage: cktap [OPTIONS] COMMAND [ARGS]...
Interact with SATSCARD and TAPSIGNER cards via NFC tap.
Command marked [TS] are only for TAPSIGNER and [SC] only for SATSCARD. All
[TS] command also work on SATSCHIP (for artwork).
You can use "bal", or "b" for "balance": any distinct prefix for all
commands.
Options:
-i, --card-ident BLAHZ- Operate on specific card (any substring is enough)
-w, --wait Waits until a card is in place.
-v, --verbose Show traffic with card.
--pdb Prepare patient for surgery to remove bugs.
-e, --emulator-cert Use root cert key generated by emulator
--root-cert-pubkey TEXT Provide alternate root cert key for certificate
checks (testing only)
--version Show the version and exit.
--help Show this message and exit.
Commands:
address [SC] Show current deposit address
backup [TS] Backup private key from card into AES-128-CTR encrypted file
balance [SC] Show the balance held on all slots
certs Check this card was made by Coinkite: Verifies a certificate...
chain Get which blockchain (Bitcoin/Testnet) is configured.
change [TS] Change the CVC code (PIN code)
check Verify you have the spending code (CVC) correct.
core [SC] Show JSON needed to import keys into Bitcoin Core
debug Start interactive (local) debug session.
derive [TS] Change the subkey derivation path to use (shows xpub)
dump [SC] Show state of slot number indicated.
json [TS] Dump wallet values in JSON format similar to Coldcard...
list List all cards detected on any reader attached.
msg Sign a short text message
open [SC] Get address and open associated local Bitcoin app to...
path [TS] Show the subkey derivation path in effect
qr [SC] Show current deposit address as a QR (or private key if...
setup Setup with a fresh private key.
status Show a few things about status of card
unlock Clear login delay (takes 15 seconds)
unseal [SC] Unseal current slot and reveal private key.
upload [SATSCHIP] Upload an image and artwork's metadata to public...
url Get website URL used for NFC verification, and optionally open it
usage [SC] Show slots usage so far.
version Get the version of the card's firmware installed (but not...
wif [SC] Show WIF for last unsealed slot, or give slot number
xpub [TS] Show the xpub in use
% cktap list
<CKTapCard SATSCARD: 26NKY-RWPK4-65YR7-BU4WL>
<CKTapCard TAPSIGNER: RUIXK-5XI6U-G55IQ-DVGVI>
% cktap -i RUIXK status
-- TAPSIGNER Card --
Card ident: RUIXK-5XI6U-G55IQ-DVGVI
Birth Height: 723471
Number of backups: 25
Current derivation: m/84h/0h/0h
% cktap -i 26NKY status
-- SATSCARD --
Card ident: XDXKQ-W6VW6-GEQI3-ATSC2
Birth Height: 700001
Active Slot: 7
Address: tb1q779z3npw49qs3rhyk8zhh7l0sgyr9uphm6jlp0
% cktap usage
SLOT# | STATUS | ADDRESS
------+----------+-------------
1 | UNSEALED | (use spend code to view)
2 | UNSEALED | (use spend code to view)
3 | UNSEALED | (use spend code to view)
4 | sealed | bc1qu4vsv2jqgl0y30ehrs4d0dg23xazpgnxdwuqum
5 | unused |
6 | unused |
7 | unused |
8 | unused |
9 | unused |
10 | unused |
% cktap usage 123456
SLOT# | STATUS | ADDRESS
------+----------+-------------
1 | UNSEALED | bc1q4rdps7e8xkaat4ewmmv0hmunsu20s329tf8pdm
2 | UNSEALED | bc1qe8q7zjtj7utsjlgsq9vn7dl6gqf7kj02tuuec6
3 | UNSEALED | bc1q9n97zn2nwp7cdhujsgqpgqpv0z49f70lxz9ns2
4 | sealed | bc1qu4vsv2jqgl0y30ehrs4d0dg23xazpgnxdwuqum
5 | unused |
6 | unused |
7 | unused |
8 | unused |
9 | unused |
10 | unused |
% cktap qr -o today.svg
(SVG of QR is saved to file)
% cktap addr
bc1qu4vsv2jqgl0y30ehrs4d0dg23xazpgnxdwuqum
% cktap wif -s 1
Enter spending code (6 digits):
p2wpkh:L16cgmhZJWD7fq3eDi3gL7Yko6WYixxZi4f5T3XxxDCF2HnZdHJa
% cktap status
-- TAPSIGNER Card --
Card ident: RUIXK-5XI6U-G55IQ-DVGVI
Birth Height: 723471
Number of backups: 25
Current derivation: m/84h/0h/0h
% cktap backup 347634
Wrote 109 bytes to: backup-RUIXK-2022-02-16T0926.aes
% hd backup-RUIXK-2022-02-16T0926.aes
00000000 d6 3e 40 59 f0 fd 7a 3d 06 67 a5 94 0b 5d 01 09 |.>@Y..z=.g...]..|
00000010 27 58 c3 2a 1f c1 66 d9 84 84 25 96 af 71 23 a1 |'X.*..f...%..q#.|
00000020 0b bc aa ba c1 a3 98 6d f2 cd 9c 24 51 8c f7 bf |.......m...$Q...|
00000030 09 ad 53 0d 9b 07 2b 8e 12 be 73 24 3a 09 a9 3d |..S...+...s$:..=|
00000040 26 6c 98 59 34 95 aa 78 a1 0b 7a 2b 77 98 1f 7a |&l.Y4..x..z+w..z|
00000050 d1 cf d6 e6 fd 31 b3 88 1a d9 df 68 03 a3 8b 06 |.....1.....h....|
00000060 db 66 ef d6 ea 5f 5f 08 9a ed f2 2a 71 |.f...__....*q|
0000006d
For more information about specific cktap
commands check docs/cli.md