Releases: darkbyte-JS/DarksFIDO2
Release list
Darks FIDO2 0.6.3 - experimental beta
Darks FIDO2 0.6.3
This beta makes destructive and recovery-sensitive operations failure-safe and turns the repository into a testable, trust-first project landing page.
- Writes and verifies a replacement keyfile before committing the new vault policy; the active keyfile cannot be overwritten during rotation.
- Requires profile deletion to clean Windows provider metadata, provider records/private CNG keys, platform credentials, profile-created TPM keys, and the vault-wrapping key.
- Adds transactional Setup rollback around application files and provider deployment. Subsequent versions preserve the installed provider MSIX for package rollback.
- Corrects the visible About version and documents only the three supported read-only CLI commands.
- Adds an Edge browser WebAuthn create/get ceremony using CTAP2, resident credentials, and required user verification.
- Adds a concise README, screenshot, social preview, changelog, threat model, compatibility matrix, known limitations, architecture, contributing guide, issue forms, and private-reporting guidance.
Validation: Release builds with zero warnings/errors; 22/22 hardware/security tests pass locally on TPM 2.0; the Edge browser ceremony passes; and locked NuGet dependencies report no known vulnerable packages.
Distribution note: this is a self-signed experimental pre-release. It has no public CA trust or SmartScreen reputation and has not received an independent security audit. Setup does not install certificates into a trust store.
Verify before running
- Compare every download against
SHA256SUMS.txt. SBOM.spdx.jsonis an SPDX 2.3 NuGet dependency inventory generated from the seven committedpackages.lock.jsonfiles.- The attached
.ceris the public development certificate only. No private signing key is included. - Setup never installs this certificate into a trust store.
Trust status
This release is self-signed by CN=Darks FIDO2 Development, experimental, and not independently audited. It has no public CA trust or SmartScreen reputation. Use disposable test accounts.
Darks FIDO2 0.6.2
Darks FIDO2 0.6.2
This release hardens the two remaining protocol boundaries: CTAP CBOR processing and the Windows WebAuthn health-check flow.
- Requires user verification for both registration and assertion ceremonies.
- Saves each registered ES256 public key and verifies assertion signatures locally.
- Verifies RP-ID binding, credential identity, UP/UV/AT/ED and backup flags, signature presence, and signature-counter progression.
- Enforces CTAP2 canonical CBOR, including minimal encodings, sorted map keys, structural duplicate detection, strict UTF-8, definite lengths, and resource limits.
- Corrects AAGUID byte order and validates native counts, pointers, identifiers, and temporary allocation cleanup.
- Backfills public keys for Darks FIDO2 virtual credentials. Older Windows Hello or external credentials must be re-registered before cryptographic health verification.
Validation: the Release solution builds with zero compiler warnings/errors; the expanded security regression harness passes 20/20 on TPM 2.0; locked NuGet dependencies report no known vulnerable packages.
Distribution note: the attached development build is signed by the self-signed CN=Darks FIDO2 Development certificate and is published as a pre-release. It does not have public CA trust or SmartScreen reputation. Setup does not install certificates into a trusted store.
Downloads
- Installed build:
DarksFIDO2-Setup.exe - Portable build:
DarksFIDO2-Portable.zip - Windows passkey provider:
DarksFIDO2.Provider.msix - Verify every download with
SHA256SUMS.txt.
Target source commit: 4a1f144ef6a3c8a1c4fd5d4639a9b3df875e3de8