v1.1.1

• Update tkeyclient to v1.3.1 to handle TKey Unlocked (product ID 8)
  as a Bellatrix when it comes to USS digest handling.

• Only allow --force-full-uss when either --uss or --uss-file is
  used.

Full
changelog.

v1.1.0

• Update tkeyclient version because of a vulnerability leaving some
  USSs unused. Keys might have changed since earlier versions! Read
  more here:

  GHSA-4w7r-3222-8h6v

• Add a new option flag: --force-full-uss to force full use of the
  32 byte USS digest.

Full Changelog: v1.0.0...v1.1.0

Reproducible builds:

We're currently building releases with goreleaser using Go 1.23.1.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries. On macOS tkey-ssh-agent is unfortunately not statically linked.

v1.0.0

Note: This is a major release that changes the Ed25519 key pair. See the migration guide for help in migrating to the new version.

Reproducible builds:

We're currently building releases with goreleaser using Go 1.22.2.

You should be able to build a binary that is an exact copy of our release binaries if you use the same Go compiler, at least for the statically linked Linux and Windows binaries.

On macOS tkey-ssh-agent is unfortunately not statically linked. The binary was built on macOS with uname:

Darwin Kernel Version 22.6.0: Tue Nov  7 21:42:24 PST 2023; root:xnu-8796.141.3.702.9~2/RELEASE_ARM64_T6020 arm64

Changelog:

• All other apps, libraries, and packages have moved to their own repos.
• Bug fix for Windows: Complain and quit cleanly when agent socket already exists.
• Embed binary signer in repo. This enables go install as install method.
• --version now also outputs version of embedded device app.
• Builds releases and OS packages with goreleaser.
• tkey-device-signer
  has been updated to v1.0.0. WARNING: Breaks CDI! Generates new key pair.
• tkeyclient has been updated to v1.0.0.
• tkeysign has been updated to v1.0.0.

Full changelog.

v0.0.6

• Change max frame size of Framing Protocol to 128 bytes because of problems on macOS.
• Unbreak test-loop.py: Probe for firmware first instead of probing for signer app.

v0.0.5

Warning! CDI and all derived keys changes!

For use with tillitis-tkey TK1-23.03.

• Firmware protocol change.
• Apps now loaded at beginning of RAM and stack at end of RAM.
• Less blinking - steady LED when waiting for command.
• Client apps now probe for firmware and device apps replies NOK if message meant for firmware.
• New device app: nx, to test memory execution protection (see CPU_MON in tk1_mem.h)

v0.0.4

• tkey-ssh-agent now connects to the TKey for each SSH agent operation
  (and disconnects afterwards with a delay). The serial port is thus
  left accessible to others. The udev rule that sent SIGHUP to
  tkey-ssh-agent upon insert/remove of TKey is no longer needed, and
  tkey-ssh-agent does nothing upon receiving a SIGHUP.

v0.0.3

• Update tk1_mem.h and timer app to the revised timer MMIO API

This matches the engineering-release-2 tag in https://github.com/tillitis/tillitis-key1

v0.0.2

• macOS fixes in serial library.
• Definition of Unique Device Identifier changed.
• Allow building signer with touch requirement removed.
• tkey-runapp and tkey-sign host programs now more scriptable.
• Firmware's blake2s() now available from libcommon and used in
  rng_stream. Local blake2s removed.
• Removes GET_UDI protocol call from signer. CHANGES SIGNER'S IDENTITY!
• Introduce libmonocypher as a library. CHANGES IDENTITY!

v0.0.1

From docs/release_notes.md:

Release notes

v0.0.1

Since we haven't tagged any release before this we list some recent
significant and/or breaking changes.

Revised SSH Agent

Introduces a revised Tillitis TKey SSH Agent, tkey-ssh-agent. The
new agent:

• runs as a daemon all the time (as systemd user unit, if you want).
• autodetects TKey removal and insertion with the help of udev rules
  (or just send it a SIGHUP yourself to make it look for a TKey
  again).
• spawns a graphical pinentry program to enter the User-Supplied
  Secret.

The first iteration of this revision of the SSH agent is focused on
Linux distributions and has a Ubuntu/Debian package available.

Simplified firmware protocol

The firmware protocol for loading a TKey app has changed. We now
combine starting to load an app by setting size and loading USS into a
single request. The firmware automatically returns the app digest and
start the app when the last chunk of the binary has been received.

GetNameVersion also now expects an ASCII array for NAME0 and
NAME1 both from the firmware and from TKey apps. This also means the
signerapp has a new digest and hence a new identity.

Division no longer available

We now build the TKey apps with the RV32 Zmmul extension since we
removed support for division on the PicoRV32 CPU.