Releases: Nitrokey/nitrokey-3-firmware
v1.8.0
Features
- OpenPGP: add support for additional curves when using the se050 backend: (#524)
- NIST P-384
- NIST P-521
- brainpoolp256r1
- brainpoolp384r1
- brainpoolp512r1
- admin-app: Add command to list all supported config fields (admin-app#28)
- admin-app: Add
opcard.disabled
configuration option to disable OpenPGP (#539) - piv: Add support for PIV, powered by the SE050 secure element (#534)
- Improve external flash mounting to decrease startup time (#440)
Notes
- This release adds a second CCID (smartcard) application, PIV. This may change the behavior of some programs like OpenSC when trying to access the existing CCID application, OpenPGP. The following workarounds are available:
- Disable the PIV application on the Nitrokey 3 with
nitropy nk3 set-config piv.disabled true
. - Explicitly select the OpenSC application to use by setting the
OPENSC_DRIVER
environment variable, for exampleOPENSC_DRIVER=openpgp
.
- Disable the PIV application on the Nitrokey 3 with
Known issues
- PIV: uploading a large certificate (> 1KiB) to the device might fail. Power cycling the device and retrying often solves the issue.
v1.8.0-rc.2
Features
- OpenPGP: add support for additional curves when using the se050 backend: (#524)
- NIST P-384
- NIST P-521
- brainpoolp256r1
- brainpoolp384r1
- brainpoolp512r1
- admin-app: Add command to list all supported config fields (admin-app#28)
- admin-app: Add
opcard.disabled
configuration option to disable OpenPGP (#539) - piv: Add support for PIV, powered by the SE050 secure element (#534)
- Improve external flash mounting to decrease startup time (#440)
Changes from v1.8.0-rc.1
- fido-authenticator: Fix incompatibility with credentials generated with firmware v1.5.0 or older
Known issues
- PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.
v1.8.0-rc.1
v1.8.0-rc.1 (2024-11-07)
Features
- OpenPGP: add support for additional curves when using the se050 backend: (#524)
- NIST P-384
- NIST P-521
- brainpoolp256r1
- brainpoolp384r1
- brainpoolp512r1
- admin-app: Add command to list all supported config fields (admin-app#28)
- admin-app: Add
opcard.disabled
configuration option to disable OpenPGP (#539) - piv: Add support for PIV, powered by the SE050 secure element (#534)
- Improve external flash mounting to decrease startup time (#440)
Known issues
- PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.
- FIDO: credentials generated with firmware v1.5.0 or older may not work with this release candidate. This is fixed in v1.8.0-rc.2.
v1.7.2-test.20241022
Features
- piv: Enable the use of the SE050 backend (#534)
- Add
opcard.disabled
andpiv.disabled
configuration options, allowing to selectively disable PIV or OpenPGP, in case the software you rely on leads to conflicts between the two applications. (#539) - fido: Fix an incompatibility with Firefox in v1.7.2-test.20240813 that was caused by an additional field in the response to Get Assertion requests (fido-authenticator#98)
Known issues - Read before updating
-
This firmware update changes the data storage backend of the PIV application.Updating will lead to an incompatible state and PIV will fail to start. You must factory reset the PIV application prior to updating, otherwise it will not work . This can be done through
nitropy nk3 piv --experimental factory-reset
after having made 3 wrong attempts with a PIN-protected operation.
(if you update prior to factory-resetting, you can still rollback tov1.7.2-test.20240813
to get it working again). -
This firmware version updates the format of the FIDO2 state stored on the device. If a device is reverted to v1.7.2 or a previous test release after running this version, the FIDO2 state can be reset and all credentials can be invalidated.
-
This firmware seems to have issues with authenticating FIDO2 credentials, while registering works we currently analyze an issue during authentication.
v1.7.2-test.20240813
Features
- fido-authenticator: Implement the largeBlobKey extension and the largeBlobs command (fido-authenticator#38)
- OpenPGP: add support for additional curves when using the se050 backend: (#524)
- NIST P-384
- NIST P-521
- brainpoolp256r1
- brainpoolp384r1
- brainpoolp512r1
Fixes
- piv: Fix crash when changing PUK (piv-authenticator#38)
Known issues
-
This firmware version updates the format of the FIDO2 state stored on the device. If a device is reverted to v1.7.2 or a previous test release after running this version, the FIDO2 state can be reset and all credentials can be invalidated.
-
This firmware seems to have issues with authenticating FIDO2 credentials, while registering works we currently analyze an issue during authentication.
v1.7.2-test.20240808
This release is currently in internal testing, signed binaries to be used with nitropy will be uploaded within the next days
v1.7.2-test.20240625
Bugfixes
- PIV: Fix incompatibility with Windows Logon (#516)
v1.7.2
Bugfixes
- fido-authenticator: Fix incompatibility when enumerating resident keys with libfido2/ssh-agent (#496)
- Ensure that an application reset erases all relevant objects on the secure element (trussed-se050-backend#30)
v1.7.1
Bugfixes
- secrets-app: Require PIN for registering Reverse HOTP credentials (trussed-secrets-app#114)
Known Issues
ssh-agent
cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)
Notes
This release is not compatible with any Nitrokey/Nitropad HEADS versions before v2.5. To use this firmware version together with HEADS you strictly need to use a Nitropad firmware release v2.5+. For upstream HEADS this is any commit after this version was released.
v1.7.0
This release adds SE050 support to opcard, updates fido-authenticator to support CTAP 2.1 and introduces app and device factory reset.
Features
- Report errors when loading the configuration during initialization and disable opcard if an error occured (#394)
- Fix LED during user presence check for NK3AM (#93)
- fido-authenticator: Implement CTAP 2.1
- OpenPGP: fix locking out after an aborted factory-reset operation (#443)
- Add an SE050 driver and its tests (#335)
- Use SE050 entropy to bootstrap the random number generator (#335)
- Enable SE050 support in OpenPGP by default (#471)
- Support app and device factory reset (#383, #479)
Known Issues
ssh-agent
cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)
Notes
- When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the
opcard.use_se050_backend
config option has been set to true.