This release includes all Nitropad variants.
Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip
Major Changes / Fixes:
-
This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device. This update ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3). To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended. The TOTP mechanism is unaffected by this issue - so in doubt you can still rely on this to verify the HEADS firmware is unmodified.
-
Please be sure to always update HEADS together with the Nitrokey 3. The v1.7.1 NK3 firmware won't work with older HEADS versions
-
Enables autoboot. Heads will now autoboot if all checks are correct. This can be stop by pressing any key during the startup.
Known Issues:
- after flashing the new firmware the NV41 might need more than one power-cycle to properly boot
- the NV41 and NS50/NS70 will not reboot after a firmware upgrade and needed to be restarted manual
Signature
Verify the detached signature using:
gpg --verify sha256sum.sig sha256sum
You expect an output like this one:
gpg: Signature made Wed 05 Jun 2024 02:09:22 PM CEST
gpg: using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <meissner@nitrokey.com>" [ultimate]
gpg: aka "Markus Meissner <coder@safemailbox.de>" [ultimate]
If you don't have the key yet, you can get it like this:
gpg2 --keyserver keyserver.ubuntu.com --recv-keys 44CB2D868DD16BDA
Feel free to cross-validate the main-key fingerprint on this profile.