This release includes all Nitropad variants.
Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip
Major Changes / Fixes:
This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device.
This update ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3).
To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended.
Enables autoboot. Heads will now autoboot if all checks are correct. This can be stop by pressing any key during the startup.
Known Issues:
Signature
Verify the detached signature using:
gpg --verify sha256sum.sig sha256sum
You expect an output like this one:
gpg: Signature made Wed 05 Jun 2024 02:09:22 PM CEST gpg: using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate] gpg: aka "Markus Meissner <[email protected]>" [ultimate]If you don't have the key yet, you can get it like this:
gpg2 --keyserver keyserver.ubuntu.com --recv-keys 44CB2D868DD16BDA
Feel free to cross-validate the main-key fingerprint on this profile.