Install Trezor (or update/upgrade) on Ubuntu; Trezor `.desktop` file

trezor-upgrade

#!/bin/bash

# /opt/trezor/trezor-upgrade
#
# Shell script to upgrade/update Trezor Suite desktop application.
#

DOWNLOAD_PAGE_HTML="`curl -s https://suite.trezor.io/`"
SATOSHILABS_KEY="`echo ${DOWNLOAD_PAGE_HTML} | grep -oP 'satoshilabs-[^ ]*?-signing-key.asc' - | head -n1`"
CURRENT_VERSION="`echo ${DOWNLOAD_PAGE_HTML} | grep -oP 'Trezor-Suite-[^ ]*?AppImage' - | head -n1`"
CURRENT_VERSION_SIGNATURE="`echo ${DOWNLOAD_PAGE_HTML} | grep -oP 'Trezor-Suite-[^ ]*?AppImage.asc' - | head -n1`"

DOWNLOAD_DIRECTORY="https://suite.trezor.io/web/static/desktop/"
CURRENT_VERSION_URL=${DOWNLOAD_DIRECTORY}${CURRENT_VERSION}
CURRENT_VERSION_SIGNATURE_URL=${DOWNLOAD_DIRECTORY}${CURRENT_VERSION_SIGNATURE}

if [ -e "/opt/trezor/${CURRENT_VERSION}" ]; then 
  echo "Latest version of Trezor Desktop already installed" 
  exit 0
fi

# Unlock `sudo`
echo "We need elevated privileges to install Trezor Suite"
sudo ls > /dev/null

# Download latest file
echo "Downloading latest version of Trezor Suite ..."
curl ${CURRENT_VERSION_URL} | sudo tee /opt/trezor/${CURRENT_VERSION} > /dev/null

if [ ! -e "/opt/trezor/${CURRENT_VERSION}" ]; then 
  echo "Failed to download the current Trezor Suite, version ${CURRENT_VERSION}" 
  echo "Tried to download from ${CURRENT_DOWNLOAD_URL}"
  exit 1
fi

# Download the signature
echo "Downloading verification signature for latest version of Trezor Suite ..."
curl ${CURRENT_VERSION_SIGNATURE_URL} | sudo tee /opt/trezor/${CURRENT_VERSION_SIGNATURE} > /dev/null

if [ ! -e "/opt/trezor/${CURRENT_VERSION_SIGNATURE}" ]; then
  echo "Failed to download PGP verification signature file"
  echo "Tried to download from ${CURRENT_VERSION_SIGNATURE_URL}"
  exit 2
fi

# Download the latest key
if [ ! -e "/opt/trezor/${SATOSHILABS_KEY}" ]; then
  echo "Downloading SatoshiLab PGP key ..."
  curl https://trezor.io/security/${SATOSHILABS_KEY} | sudo tee /opt/trezor/${SATOSHILABS_KEY} > /dev/null

  # Import the public key for verification use
  echo "Importing SatoshiLabs PGP key ..."
  gpg --import "/opt/trezor/${SATOSHILABS_KEY}"
fi

echo "Verifying downloaded file ..."
gpg --verify /opt/trezor/${CURRENT_VERSION_SIGNATURE} /opt/trezor/${CURRENT_VERSION}
if [ $? -ne 0 ]; then
  echo "Signature verification failed!"
  exit 3
fi

echo "Linking new version ..."
sudo chmod +x /opt/trezor/${CURRENT_VERSION} && sudo rm /opt/trezor/trezor && sudo ln -s ${CURRENT_VERSION} /opt/trezor/trezor

if [ ! -e "/usr/share/applications/trezor.desktop" ]; then 
  echo "Creating desktop file ..."
  sudo ln -s /opt/trezor/trezor.desktop /usr/share/applications/
  sudo update-desktop-database
fi

echo "Done!"
echo

exit 0

trezor.desktop

[Desktop Entry]
Name=Trezor Suite
GenericName=Trezor Suite
Comment=Trezor Suite desktop application
Exec=/opt/trezor/trezor
Terminal=false
Type=Application
Icon=/opt/trezor/trezor.png
Categories=Office;Finance;Cryptocurrency;
Name[en_US]=Trezor Suite
Actions=Launch;Upgrade

[Desktop Action Launch]
Name=Launch Trezor Suite
Exec=/opt/trezor/trezor

[Desktop Action Upgrade]
Name=Upgrade Trezor Suite
Exec=/opt/trezor/trezor-upgrade

trezor.png

#!/bin/bash

curl -s https://suite.trezor.io/static/images/icons/favicon/favicon.png -o /opt/trezor/trezor.png

Pro tip: Download the .asc signature from a different source, like their GitHub repo. An attacker controlling the trezor domain will most probably fit the "right" signature along with the binary.