Skip to content

Releases: TheMaxMur/RS-Key

RS-Key v0.1.0

13 Jun 22:05
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v0.1.0
This tag was signed with the committer’s verified signature.
TheMaxMur MaxMur
GPG key ID: B72F4A649F92F410
Verified
Learn about vigilant mode.
2e23b06
This commit was signed with the committer’s verified signature.
TheMaxMur MaxMur
GPG key ID: B72F4A649F92F410
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
RS-Key v0.1.0 Latest
Latest

0.1.0 — 2026-06-13

First public release — an open-source security-key firmware for the Raspberry Pi
RP2350 (Cortex-M33), a behavioral reimplementation of the AGPL-3.0 pico-keys
family that keeps the "enterprise" features in the open tree.

Security keys / protocols

  • FIDO2 / WebAuthn / U2F — passkeys (discoverable credentials), second-factor,
    ssh -t ed25519-sk, hmac-secret and largeBlobs; user presence gated on the
    BOOTSEL button (the default touch build).
  • OpenPGP card 3.4 — sign / decrypt / authenticate; EC (Ed25519, NIST, brainpool)
    and on-card RSA keygen (2048/3072/4096) accelerated across both cores.
  • PIV — X.509 slots, attestation, the Yubico management extensions; works
    through PKCS#11 / OpenSC and the OS-native stacks.
  • OATH (YKOATH) — TOTP / HOTP credential store.
  • Yubico OTP — slot programming and challenge-response over CCID, plus the
    HID-keyboard typing path.

Enterprise features, in the open tree

  • forceChangePin enforcement, a SHA-256-chained signed audit trail, an opt-in
    fips-profile, organizational attestation (import key + chain), and host-side
    fleet inventory / verification / offboarding tooling.

Hardening

  • Secure boot + anti-rollback (RP2350 OTP), keys sealed under an OTP-burned
    device root, and an at-rest soft-lock of the FIDO seed.

Tooling

  • The rsk CLI and the rsk-tui ratatui dashboard; guided primary + backup
    device pairing; secure-boot key-rotation tooling. Run without the dev shell via
    nix run .#rsk, .#rsk-tui, and a one-command flasher .#flash.

USB identity

  • The default build presents this project's own pid.codes identity
    (0x1209:0x0001, "RS-Key Security Key") — not a YubiKey masquerade. An opt-in
    VIDPID=Yubikey5 flavor borrows the YubiKey identity for ykman / Yubico
    Authenticator interop.

Assurance

  • 39 fuzz targets, Kani proofs, a Miri pass, power-cut torture, bit-reproducible
    nix build images (per platform, per flake.lock), and a hardware-verified
    interop matrix (docs/interop.md).

Release artifacts

  • Eight firmware flavors (up-button × advertise-pqc × fips-profile), each a
    reproducible unsigned .uf2 — on a secure-boot device, seal it with your
    own key before flashing (nix run .#flash, or see
    docs/production.md).
  • SHA256SUMS over every artifact, a keyless cosign
    signature of it, and a CycloneDX SBOM. See
    docs/releases.md to verify a download.

Verify a download: https://github.com/TheMaxMur/RS-Key/blob/v0.1.0/docs/releases.md

Assets 14