Releases: tillitis/tkey-ssh-agent
v1.0.0
Note: This is a major release that changes the Ed25519 key pair. See the migration guide for help in migrating to the new version.
Reproducible builds:
We're currently building releases with goreleaser using Go 1.22.2.
You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.
On macOS tkey-ssh-agent
is unfortunately not statically linked. The binary was built on macOS with uname:
Darwin Kernel Version 22.6.0: Tue Nov 7 21:42:24 PST 2023; root:xnu-8796.141.3.702.9~2/RELEASE_ARM64_T6020 arm64
Changelog:
- All other apps, libraries, and packages have moved to their own repos.
- Bug fix for Windows: Complain and quit cleanly when agent socket already exists.
- Embed binary signer in repo. This enables
go install
as install method. --version
now also outputs version of embedded device app.- Builds releases and OS packages with goreleaser.
- tkey-device-signer
has been updated to v1.0.0. WARNING: Breaks CDI! Generates new key pair. - tkeyclient has been updated to v1.0.0.
- tkeysign has been updated to v1.0.0.
v0.0.6
- Change max frame size of Framing Protocol to 128 bytes because of problems on macOS.
- Unbreak test-loop.py: Probe for firmware first instead of probing for signer app.
v0.0.5
Warning! CDI and all derived keys changes!
For use with tillitis-tkey TK1-23.03.
- Firmware protocol change.
- Apps now loaded at beginning of RAM and stack at end of RAM.
- Less blinking - steady LED when waiting for command.
- Client apps now probe for firmware and device apps replies NOK if message meant for firmware.
- New device app: nx, to test memory execution protection (see
CPU_MON
intk1_mem.h
)
v0.0.4
- tkey-ssh-agent now connects to the TKey for each SSH agent operation
(and disconnects afterwards with a delay). The serial port is thus
left accessible to others. The udev rule that sent SIGHUP to
tkey-ssh-agent upon insert/remove of TKey is no longer needed, and
tkey-ssh-agent does nothing upon receiving a SIGHUP.
v0.0.3
- Update tk1_mem.h and timer app to the revised timer MMIO API
This matches the engineering-release-2
tag in https://github.com/tillitis/tillitis-key1
v0.0.2
- macOS fixes in serial library.
- Definition of Unique Device Identifier changed.
- Allow building signer with touch requirement removed.
- tkey-runapp and tkey-sign host programs now more scriptable.
- Firmware's blake2s() now available from libcommon and used in
rng_stream. Local blake2s removed. - Removes GET_UDI protocol call from signer. CHANGES SIGNER'S IDENTITY!
- Introduce libmonocypher as a library. CHANGES IDENTITY!
v0.0.1
From docs/release_notes.md:
Release notes
v0.0.1
Since we haven't tagged any release before this we list some recent
significant and/or breaking changes.
Revised SSH Agent
Introduces a revised Tillitis TKey SSH Agent, tkey-ssh-agent
. The
new agent:
- runs as a daemon all the time (as
systemd
user unit, if you want). - autodetects TKey removal and insertion with the help of
udev
rules
(or just send it aSIGHUP
yourself to make it look for a TKey
again). - spawns a graphical
pinentry
program to enter the User-Supplied
Secret.
The first iteration of this revision of the SSH agent is focused on
Linux distributions and has a Ubuntu/Debian package available.
Simplified firmware protocol
The firmware protocol for loading a TKey app has changed. We now
combine starting to load an app by setting size and loading USS into a
single request. The firmware automatically returns the app digest and
start the app when the last chunk of the binary has been received.
GetNameVersion
also now expects an ASCII array for NAME0
and
NAME1
both from the firmware and from TKey apps. This also means the
signerapp
has a new digest and hence a new identity.
Division no longer available
We now build the TKey apps with the RV32 Zmmul extension since we
removed support for division on the PicoRV32 CPU.