v1.7.1

Bugfixes

• secrets-app: Require PIN for registering Reverse HOTP credentials (trussed-secrets-app#114)

Known Issues

• ssh-agent cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)

Notes

This release is not compatible with any Nitrokey/Nitropad HEADS versions before v2.5. To use this firmware version together with HEADS you strictly need to use a Nitropad firmware release v2.5+. For upstream HEADS this is any commit after this version was released.

v1.7.0

This release adds SE050 support to opcard, updates fido-authenticator to support CTAP 2.1 and introduces app and device factory reset.

Features

• Report errors when loading the configuration during initialization and disable opcard if an error occured (#394)
• Fix LED during user presence check for NK3AM (#93)
• fido-authenticator: Implement CTAP 2.1
• OpenPGP: fix locking out after an aborted factory-reset operation (#443)
• Add an SE050 driver and its tests (#335)
• Use SE050 entropy to bootstrap the random number generator (#335)
• Enable SE050 support in OpenPGP by default (#471)
• Support app and device factory reset (#383, #479)

Known Issues

• ssh-agent cannot access the resident key used for SSH logins with firmware versions v1.7.0 and v1.7.1. This will be fixed in v1.7.2. (#496)

Notes

• When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the opcard.use_se050_backend config option has been set to true.

v1.7.0-rc.3

Features

• Support app and device factory reset (#383, #479)

Notes

• When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the opcard.use_se050_backend config option has been set to true.

v1.7.0-rc.2

Features

• Add an SE050 driver and its tests (#335)
• Use SE050 entropy to bootstrap the random number generator (#335)
• Enable SE050 support in OpenPGP by default (#471)

Notes

• When upgrading from the test firmware release v1.6.0-test.20231218, OpenPGP keys will not be retained after the update if the opcard.use_se050_backend config option has been set to true.

v1.7.0-rc.1

Changelog

Features

• Report errors when loading the configuration during initialization and disable opcard if an error occured (#394)
• Fix LED during user presence check for NK3AM (#93)
• fido-authenticator: Implement CTAP 2.1
• OpenPGP: fix locking out after an aborted factory-reset operation (#443)

v1.6.0-test.20231218

This update requires pynitrokey v0.4.35 or newer. You can install it with:

$ nitropy nk3 update --version v1.6.0-test.20231218

Changes

(since v1.6.0-test.20231206)

Opcard (OpenPGP): Add experimental configuration option to enable the SE050 secure element backend. This can be done, with pynitrokey v0.4.44: nitropy nk3 set-config opcard.use_se050_backend true.

This will cause a factory-reset of opcard data. On older versions of nitropy, the command may work but will require a power cycle of the device before opcard is functional.

This new backend will increase the security of PIN protected operations. It will also improve the performance of cryptographic operation, especially RSA. This means that when the secure element backend is enabled, RSA 4096 bit keys can now be generated on-device.

Fixed

• Piv: Fixed generation of RSA keys.

Functions

Stable

• admin-app v0.1.0-nitrokey.9
• fido-authenticator v0.1.1-nitrokey.10 (FIDO2)
• secrets v0.13.0-rc2 (OTP and Passwords)
• opcard v1.3.0 (OpenPGP)

Unstable

• piv-authenticator v0.3.3
• websmartcard v0.8.0-rc5

v1.6.0-test.20231206

This update requires pynitrokey v0.4.35 or newer. You can install it with:

$ nitropy nk3 update --version v1.6.0-test.20231206

Changes

(since v1.6.0)

Changed

• FIDO: add support for large-blobs (#385)

Fixed

• Reduced binary size (#397)

Functions

Stable

• admin-app v0.1.0-nitrokey.9
• fido-authenticator v0.1.1-nitrokey.10 (FIDO2)
• secrets v0.13.0-rc2 (OTP and Passwords)
• opcard v1.3.0 (OpenPGP)

Unstable

• piv-authenticator v0.3.2
• websmartcard v0.8.0-rc3

v1.6.0

Changes

Features

• usbip: Add user presence check (#314, #321)
• admin-app: Add config mechanism (#344)

Changed

• secrets-app: Update to v0.13.0-rc.2
  • Confirm credential removal with a touch (trussed-secrets-app#92)
  • Allow to update credential (trussed-secrets-app#65)
• Improve stack usage of several components (#353)
• Reject APDU commands from multiple transports (apdu-dispatch#19)

Fixed

• fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
• fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
• Upgrade opcard to v1.2.0, fixing memory issues when using multiple RSA keys, potential data corruption, correct handling of non canonical curve25519 public keys and properly rejecting NFC requests (#376)
• Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)
• lpc55: Move USB initialization to the end of the boot process to make sure that the device can respond to all requests, fixing a potential delay when connecting the device under Linux (#302)

Functions

• admin-app v0.1.0-nitrokey.8
• fido-authenticator v0.1.1-nitrokey.9 (FIDO2)
• secrets v0.13.0-rc2 (OTP and Passwords)
• opcard v1.2.1 (OpenPGP)

v1.6.0-rc.1

Features

• Add an SE050 driver and its tests (#335)
• usbip: Add user presence check (#314, #321)
• admin-app: Add config mechanism (#344)

Changed

• Use SE050 entropy to bootstrap the random number generator (#335)
• secrets-app: Update to v0.13.0-rc.1
  • Confirm credential removal with a touch (trussed-secrets-app#92)
  • Allow to update credential (trussed-secrets-app#65)
• Improve stack usage of several components (#353)
• Reject APDU commands from multiple transports (apdu-dispatch#19)

Fixed

• fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
• fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
• Upgrade opcard to v1.2.0, fixing memory issues when using multiple RSA keys, potential data corruption, correct handling of non canonical curve25519 public keys and properly rejecting NFC requests (#376)
• Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)
• lpc55: Move USB initialization to the end of the boot process to make sure that the device can respond to all requests, fixing a potential delay when connecting the device under Linux (#302)

v1.5.0-test.20231030

This update requires pynitrokey v0.4.35 or newer. You can install it with:

$ nitropy nk3 update --version v1.5.0-test.20231030

Changes

(since v1.5.0-test.20230704)

Features

• Add an SE050 driver and its tests (#335)
• usbip: Add user presence check (#314, #321)
• admin-app: Add config mechanism (#344)

Changed

• Use SE050 entropy to bootstrap the random number generator (#335)
• secrets-app: Update to v0.13.0-rc.1
  • Allow to update credential (trussed-secrets-app#65)
  • Remove challenge response authentication method (trussed-secrets-app#44)
• Improve stack usage of several components (#353)

Fixed

• fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
• fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
• Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)

Functions

Stable

• admin-app v0.1.0-nitrokey.5
• fido-authenticator v0.1.1-nitrokey.7 (FIDO2)
• secrets v0.13.0-rc1 (OTP and Passwords)
• opcard v1.1.1 (OpenPGP)

Unstable

• piv-authenticator v0.3.2
• websmartcard v0.8.0-rc3