Skip to content

Releases: Nitrokey/nitrokey-3-firmware

v1.8.0

06 Dec 14:51
v1.8.0
8bfc4fb
Compare
Choose a tag to compare

Features

  • OpenPGP: add support for additional curves when using the se050 backend: (#524)
    • NIST P-384
    • NIST P-521
    • brainpoolp256r1
    • brainpoolp384r1
    • brainpoolp512r1
  • admin-app: Add command to list all supported config fields (admin-app#28)
  • admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
  • piv: Add support for PIV, powered by the SE050 secure element (#534)
  • Improve external flash mounting to decrease startup time (#440)

Notes

  • This release adds a second CCID (smartcard) application, PIV. This may change the behavior of some programs like OpenSC when trying to access the existing CCID application, OpenPGP. The following workarounds are available:
    • Disable the PIV application on the Nitrokey 3 with nitropy nk3 set-config piv.disabled true.
    • Explicitly select the OpenSC application to use by setting the OPENSC_DRIVER environment variable, for example OPENSC_DRIVER=openpgp.

Known issues

  • PIV: uploading a large certificate (> 1KiB) to the device might fail. Power cycling the device and retrying often solves the issue.

v1.8.0-rc.2

03 Dec 14:12
v1.8.0-rc.2
cac87da
Compare
Choose a tag to compare
v1.8.0-rc.2 Pre-release
Pre-release

Features

  • OpenPGP: add support for additional curves when using the se050 backend: (#524)
    • NIST P-384
    • NIST P-521
    • brainpoolp256r1
    • brainpoolp384r1
    • brainpoolp512r1
  • admin-app: Add command to list all supported config fields (admin-app#28)
  • admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
  • piv: Add support for PIV, powered by the SE050 secure element (#534)
  • Improve external flash mounting to decrease startup time (#440)

Changes from v1.8.0-rc.1

  • fido-authenticator: Fix incompatibility with credentials generated with firmware v1.5.0 or older

Known issues

  • PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.

v1.8.0-rc.1

20 Nov 09:25
v1.8.0-rc.1
709feb3
Compare
Choose a tag to compare
v1.8.0-rc.1 Pre-release
Pre-release

v1.8.0-rc.1 (2024-11-07)

Features

  • OpenPGP: add support for additional curves when using the se050 backend: (#524)
    • NIST P-384
    • NIST P-521
    • brainpoolp256r1
    • brainpoolp384r1
    • brainpoolp512r1
  • admin-app: Add command to list all supported config fields (admin-app#28)
  • admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
  • piv: Add support for PIV, powered by the SE050 secure element (#534)
  • Improve external flash mounting to decrease startup time (#440)

Known issues

  • PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.
  • FIDO: credentials generated with firmware v1.5.0 or older may not work with this release candidate. This is fixed in v1.8.0-rc.2.

v1.7.2-test.20241022

22 Oct 13:20
v1.7.2-test.20241022
e418b5f
Compare
Choose a tag to compare
v1.7.2-test.20241022 Pre-release
Pre-release

Features

  • piv: Enable the use of the SE050 backend (#534)
  • Add opcard.disabled and piv.disabled configuration options, allowing to selectively disable PIV or OpenPGP, in case the software you rely on leads to conflicts between the two applications. (#539)
  • fido: Fix an incompatibility with Firefox in v1.7.2-test.20240813 that was caused by an additional field in the response to Get Assertion requests (fido-authenticator#98)

Known issues - Read before updating

  • This firmware update changes the data storage backend of the PIV application.Updating will lead to an incompatible state and PIV will fail to start. You must factory reset the PIV application prior to updating, otherwise it will not work . This can be done through nitropy nk3 piv --experimental factory-reset after having made 3 wrong attempts with a PIN-protected operation.
    (if you update prior to factory-resetting, you can still rollback to v1.7.2-test.20240813 to get it working again).

  • This firmware version updates the format of the FIDO2 state stored on the device. If a device is reverted to v1.7.2 or a previous test release after running this version, the FIDO2 state can be reset and all credentials can be invalidated.

  • This firmware seems to have issues with authenticating FIDO2 credentials, while registering works we currently analyze an issue during authentication.

v1.7.2-test.20240813

13 Aug 12:02
v1.7.2-test.20240813
553fff1
Compare
Choose a tag to compare
v1.7.2-test.20240813 Pre-release
Pre-release

Features

  • fido-authenticator: Implement the largeBlobKey extension and the largeBlobs command (fido-authenticator#38)
  • OpenPGP: add support for additional curves when using the se050 backend: (#524)
    • NIST P-384
    • NIST P-521
    • brainpoolp256r1
    • brainpoolp384r1
    • brainpoolp512r1

Fixes

Known issues

  • This firmware version updates the format of the FIDO2 state stored on the device. If a device is reverted to v1.7.2 or a previous test release after running this version, the FIDO2 state can be reset and all credentials can be invalidated.

  • This firmware seems to have issues with authenticating FIDO2 credentials, while registering works we currently analyze an issue during authentication.

v1.7.2-test.20240808

08 Aug 09:43
v1.7.2-test.20240808
30cc5fc
Compare
Choose a tag to compare
v1.7.2-test.20240808 Pre-release
Pre-release

This release is currently in internal testing, signed binaries to be used with nitropy will be uploaded within the next days

v1.7.2-test.20240625

25 Jun 15:22
v1.7.2-test.20240625
3fd83c9
Compare
Choose a tag to compare
v1.7.2-test.20240625 Pre-release
Pre-release

Bugfixes

  • PIV: Fix incompatibility with Windows Logon (#516)

v1.7.2

11 Jun 18:25
v1.7.2
e633e13
Compare
Choose a tag to compare

Bugfixes

  • fido-authenticator: Fix incompatibility when enumerating resident keys with libfido2/ssh-agent (#496)
  • Ensure that an application reset erases all relevant objects on the secure element (trussed-se050-backend#30)

v1.7.1

06 May 18:53
v1.7.1
f22e6e3
Compare
Choose a tag to compare

Bugfixes

Known Issues

  • ssh-agent cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)

Notes

This release is not compatible with any Nitrokey/Nitropad HEADS versions before v2.5. To use this firmware version together with HEADS you strictly need to use a Nitropad firmware release v2.5+. For upstream HEADS this is any commit after this version was released.

v1.7.0

24 Apr 10:00
v1.7.0
6e122a2
Compare
Choose a tag to compare

This release adds SE050 support to opcard, updates fido-authenticator to support CTAP 2.1 and introduces app and device factory reset.

Features

  • Report errors when loading the configuration during initialization and disable opcard if an error occured (#394)
  • Fix LED during user presence check for NK3AM (#93)
  • fido-authenticator: Implement CTAP 2.1
  • OpenPGP: fix locking out after an aborted factory-reset operation (#443)
  • Add an SE050 driver and its tests (#335)
  • Use SE050 entropy to bootstrap the random number generator (#335)
  • Enable SE050 support in OpenPGP by default (#471)
  • Support app and device factory reset (#383, #479)

Known Issues

  • ssh-agent cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)

Notes

  • When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the opcard.use_se050_backend config option has been set to true.