Skip to content

v2.5.0 - Nitropad NV41 / NS50 / NS70 / X230 / T430

Latest
Compare
Choose a tag to compare
@nestire nestire released this 05 Jun 10:25
5eb0ab6

This release includes all Nitropad variants.

Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip

Major Changes / Fixes:

  • This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device. This update ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3). To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended. The TOTP mechanism is unaffected by this issue - so in doubt you can still rely on this to verify the HEADS firmware is unmodified.

  • Please be sure to always update HEADS together with the Nitrokey 3. The v1.7.1 NK3 firmware won't work with older HEADS versions

  • Enables autoboot. Heads will now autoboot if all checks are correct. This can be stop by pressing any key during the startup.

Known Issues:

  • after flashing the new firmware the NV41 might need more than one power-cycle to properly boot
  • the NV41 and NS50/NS70 will not reboot after a firmware upgrade and needed to be restarted manual

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Wed 05 Jun 2024 02:09:22 PM CEST
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <meissner@nitrokey.com>" [ultimate]
gpg:                 aka "Markus Meissner <coder@safemailbox.de>" [ultimate]

If you don't have the key yet, you can get it like this:

gpg2 --keyserver keyserver.ubuntu.com --recv-keys 44CB2D868DD16BDA

Feel free to cross-validate the main-key fingerprint on this profile.