Skip to content

Releases: darkbyte-JS/DarksFIDO2

Darks FIDO2 0.6.3 - experimental beta

Pre-release

Choose a tag to compare

@darkbyte-JS darkbyte-JS released this 17 Jul 15:34

Darks FIDO2 0.6.3

This beta makes destructive and recovery-sensitive operations failure-safe and turns the repository into a testable, trust-first project landing page.

  • Writes and verifies a replacement keyfile before committing the new vault policy; the active keyfile cannot be overwritten during rotation.
  • Requires profile deletion to clean Windows provider metadata, provider records/private CNG keys, platform credentials, profile-created TPM keys, and the vault-wrapping key.
  • Adds transactional Setup rollback around application files and provider deployment. Subsequent versions preserve the installed provider MSIX for package rollback.
  • Corrects the visible About version and documents only the three supported read-only CLI commands.
  • Adds an Edge browser WebAuthn create/get ceremony using CTAP2, resident credentials, and required user verification.
  • Adds a concise README, screenshot, social preview, changelog, threat model, compatibility matrix, known limitations, architecture, contributing guide, issue forms, and private-reporting guidance.

Validation: Release builds with zero warnings/errors; 22/22 hardware/security tests pass locally on TPM 2.0; the Edge browser ceremony passes; and locked NuGet dependencies report no known vulnerable packages.

Distribution note: this is a self-signed experimental pre-release. It has no public CA trust or SmartScreen reputation and has not received an independent security audit. Setup does not install certificates into a trust store.

Verify before running

  • Compare every download against SHA256SUMS.txt.
  • SBOM.spdx.json is an SPDX 2.3 NuGet dependency inventory generated from the seven committed packages.lock.json files.
  • The attached .cer is the public development certificate only. No private signing key is included.
  • Setup never installs this certificate into a trust store.

Trust status

This release is self-signed by CN=Darks FIDO2 Development, experimental, and not independently audited. It has no public CA trust or SmartScreen reputation. Use disposable test accounts.

Darks FIDO2 0.6.2

Darks FIDO2 0.6.2 Pre-release
Pre-release

Choose a tag to compare

@darkbyte-JS darkbyte-JS released this 17 Jul 13:44

Darks FIDO2 0.6.2

This release hardens the two remaining protocol boundaries: CTAP CBOR processing and the Windows WebAuthn health-check flow.

  • Requires user verification for both registration and assertion ceremonies.
  • Saves each registered ES256 public key and verifies assertion signatures locally.
  • Verifies RP-ID binding, credential identity, UP/UV/AT/ED and backup flags, signature presence, and signature-counter progression.
  • Enforces CTAP2 canonical CBOR, including minimal encodings, sorted map keys, structural duplicate detection, strict UTF-8, definite lengths, and resource limits.
  • Corrects AAGUID byte order and validates native counts, pointers, identifiers, and temporary allocation cleanup.
  • Backfills public keys for Darks FIDO2 virtual credentials. Older Windows Hello or external credentials must be re-registered before cryptographic health verification.

Validation: the Release solution builds with zero compiler warnings/errors; the expanded security regression harness passes 20/20 on TPM 2.0; locked NuGet dependencies report no known vulnerable packages.

Distribution note: the attached development build is signed by the self-signed CN=Darks FIDO2 Development certificate and is published as a pre-release. It does not have public CA trust or SmartScreen reputation. Setup does not install certificates into a trusted store.

Downloads

  • Installed build: DarksFIDO2-Setup.exe
  • Portable build: DarksFIDO2-Portable.zip
  • Windows passkey provider: DarksFIDO2.Provider.msix
  • Verify every download with SHA256SUMS.txt.

Target source commit: 4a1f144ef6a3c8a1c4fd5d4639a9b3df875e3de8