Skip to content

RS-Key v0.1.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 Jun 22:05
· 2 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.1.0
This tag was signed with the committer’s verified signature.
TheMaxMur MaxMur
GPG key ID: B72F4A649F92F410
Verified
Learn about vigilant mode.
2e23b06
This commit was signed with the committer’s verified signature.
TheMaxMur MaxMur
GPG key ID: B72F4A649F92F410
Verified
Learn about vigilant mode.

0.1.0 — 2026-06-13

First public release — an open-source security-key firmware for the Raspberry Pi
RP2350 (Cortex-M33), a behavioral reimplementation of the AGPL-3.0 pico-keys
family that keeps the "enterprise" features in the open tree.

Security keys / protocols

  • FIDO2 / WebAuthn / U2F — passkeys (discoverable credentials), second-factor,
    ssh -t ed25519-sk, hmac-secret and largeBlobs; user presence gated on the
    BOOTSEL button (the default touch build).
  • OpenPGP card 3.4 — sign / decrypt / authenticate; EC (Ed25519, NIST, brainpool)
    and on-card RSA keygen (2048/3072/4096) accelerated across both cores.
  • PIV — X.509 slots, attestation, the Yubico management extensions; works
    through PKCS#11 / OpenSC and the OS-native stacks.
  • OATH (YKOATH) — TOTP / HOTP credential store.
  • Yubico OTP — slot programming and challenge-response over CCID, plus the
    HID-keyboard typing path.

Enterprise features, in the open tree

  • forceChangePin enforcement, a SHA-256-chained signed audit trail, an opt-in
    fips-profile, organizational attestation (import key + chain), and host-side
    fleet inventory / verification / offboarding tooling.

Hardening

  • Secure boot + anti-rollback (RP2350 OTP), keys sealed under an OTP-burned
    device root, and an at-rest soft-lock of the FIDO seed.

Tooling

  • The rsk CLI and the rsk-tui ratatui dashboard; guided primary + backup
    device pairing; secure-boot key-rotation tooling. Run without the dev shell via
    nix run .#rsk, .#rsk-tui, and a one-command flasher .#flash.

USB identity

  • The default build presents this project's own pid.codes identity
    (0x1209:0x0001, "RS-Key Security Key") — not a YubiKey masquerade. An opt-in
    VIDPID=Yubikey5 flavor borrows the YubiKey identity for ykman / Yubico
    Authenticator interop.

Assurance

  • 39 fuzz targets, Kani proofs, a Miri pass, power-cut torture, bit-reproducible
    nix build images (per platform, per flake.lock), and a hardware-verified
    interop matrix (docs/interop.md).

Release artifacts

  • Eight firmware flavors (up-button × advertise-pqc × fips-profile), each a
    reproducible unsigned .uf2 — on a secure-boot device, seal it with your
    own key before flashing (nix run .#flash, or see
    docs/production.md).
  • SHA256SUMS over every artifact, a keyless cosign
    signature of it, and a CycloneDX SBOM. See
    docs/releases.md to verify a download.

Verify a download: https://github.com/TheMaxMur/RS-Key/blob/v0.1.0/docs/releases.md

Assets 14
Loading