v1.8.3

• OpenPGP: fix factory reset and retry counter display

v1.8.2

• provisioner-app: Remove ReformatFilesystem command
• fido-authenticator: Increase the maximum number of discoverable credentials (resident keys) to 100.
  • Note that the actual number of discoverable credentials that can be stored on a device depends on the model and the space used by other applications.
• piv-authenticator: Update to v0.5.0
  • Add support for RSA 3072, RSA 4096 and NIST P-384
• fido-authenticator: Improve compliance with CTAP 2.1 specification:
  • Forbid up = false when using the hmac-secret extension (fido-authenticator#19)
    • Note that this may break systemd-cryptenroll setups with --fido2-with-user-presence=no. If you have been using this option, regenerate the key slot with --fido2-with-user-presence=yes before updating.
  • Allow creating credentials without PIN (makeCredUvNotRqd, fido-authenticator#34)
  • Support clientPin getRetries without PIN protocol (fido-authenticator#118)
• OpenPGP: Update to opcard v1.6.1
  • Add support for secp256k1

Migration notes

This updates will change the way internal data is stored for the FIDO application in order to reduce data usage.
It is possible that your device already uses a lot of storage (especially if you're using FIDO resident keys).
If that is the case, the update will be blocked by pynitrokey or the Nitrokey app 2.

To solve this, you can do some operations that will free up space on the internal filesystem:

• Deleting FIDO resident keys
• Factory resetting the other applications
  While applications other than the FIDO application use mainly the external filesystem, they still use the internal filesystem for some critical state.

If you have backups and want to try anyway to perform the migration, you can use the --ignore-warning ifs-migration-v2 command line flag in pynitrokey, but be aware that it may leave your device in an inconsistent state, require a factory-reset of the FIDO application.

Known Issues

With this firmware sometimes the Nitrokey 3 communication after an OpenPGPCard factory-reset (using gpg) becomes stale, this can be solved by power-cycling the Nitrokey 3. This means with this firmware the HEADS oem-factory-reset mechanism fails to complete - we are already working on a solution.

v1.8.2-rc.1

Features

• External filesystem (used for PIV, secrets and OpenPGP): reformat fully when there is a factory reset
• OpenPGP: add support for secp256k1 when using the se050 backend
• fido-authenticator: Increase the number of credentials that can be stored
• Update PIV application
  • Improve PIN verification speed
  • Fix PUK validation

v1.8.2-test.20250520

Features

• External filesystem (used for PIV, secrets and OpenPGP): reformat fully when there is a factory reset

v1.8.2-test.20250416

Features

• OpenPGP: add support for secp256k1 when using the se050 backend
• fido-authenticator: Increase the number of credentials that can be stored

v1.8.2-test.20250312

This release is currently in internal testing, signed binaries to be used with nitropy will be uploaded within the next days

v1.8.1

Fixes

• Update PIV-authenticator

Security

• This release fixes CVE-2025-25201. For more information, see the blog post.

v1.8.0

Features

• OpenPGP: add support for additional curves when using the se050 backend: (#524)
  • NIST P-384
  • NIST P-521
  • brainpoolp256r1
  • brainpoolp384r1
  • brainpoolp512r1
• admin-app: Add command to list all supported config fields (admin-app#28)
• admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
• piv: Add support for PIV, powered by the SE050 secure element (#534)
• Improve external flash mounting to decrease startup time (#440)

Notes

• This release adds a second CCID (smartcard) application, PIV. This may change the behavior of some programs like OpenSC when trying to access the existing CCID application, OpenPGP. The following workarounds are available:
  • Disable the PIV application on the Nitrokey 3 with nitropy nk3 set-config piv.disabled true.
  • Explicitly select the OpenSC application to use by setting the OPENSC_DRIVER environment variable, for example OPENSC_DRIVER=openpgp.

Known issues

• PIV: uploading a large certificate (> 1KiB) to the device might fail. Power cycling the device and retrying often solves the issue.

v1.8.0-rc.2

Features

• OpenPGP: add support for additional curves when using the se050 backend: (#524)
  • NIST P-384
  • NIST P-521
  • brainpoolp256r1
  • brainpoolp384r1
  • brainpoolp512r1
• admin-app: Add command to list all supported config fields (admin-app#28)
• admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
• piv: Add support for PIV, powered by the SE050 secure element (#534)
• Improve external flash mounting to decrease startup time (#440)

Changes from v1.8.0-rc.1

• fido-authenticator: Fix incompatibility with credentials generated with firmware v1.5.0 or older

Known issues

• PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.

v1.8.0-rc.1

v1.8.0-rc.1 (2024-11-07)

Features

• OpenPGP: add support for additional curves when using the se050 backend: (#524)
  • NIST P-384
  • NIST P-521
  • brainpoolp256r1
  • brainpoolp384r1
  • brainpoolp512r1
• admin-app: Add command to list all supported config fields (admin-app#28)
• admin-app: Add opcard.disabled configuration option to disable OpenPGP (#539)
• piv: Add support for PIV, powered by the SE050 secure element (#534)
• Improve external flash mounting to decrease startup time (#440)

Known issues

• PIV: uploading a large certificate to the device might fail. Power cycling the device and retrying often solves the issue.
• FIDO: credentials generated with firmware v1.5.0 or older may not work with this release candidate. This is fixed in v1.8.0-rc.2.