v0.12.1

Bugs fixed:

• piv: fix generation of invalid xlen headers on data-less commands (#53, also relates to #52)
• piv: disable xlen on MacOS for now (#52)
• piv: ignore InvalidDataError when reading all certs (don't abort if one cert is unparseable, if others are fine) #58
• pivy-tool: add rsa3072 to possible values list for -a option
• update bundled libressl to 4.0.0, openssh to 10.0p1

v0.12.0

New features:

• Support for YubicoPIV 5.7.x features:
  • Ed25519 keys/certs
  • RSA3072/4096 keys/certs
  • AES-192 default admin key
• Full support for extended-length APDUs, reducing latency during enumeration and signing with hash-on-card algorithms (like Ed25519)
• pivy-zfs: now compatible with current OpenZFS releases (2.3.x), and current illumos ZFS
• pivy-tool: new delete-cert command
• certs: support for generating certs with multiple UPN SANs, IKE certs, cert policy extensions

Bugs fixed:

• pivy-box: stop -b batch mode prompting for PIN
• pivy-box, pivy-agent: better audit logging with ECDH operations and the rebox extension
• pivy-agent: fix notify-send options and newlines for GNOME 46+
• pivy-zfs, pivy-ca: exit cleanly on invalid options
• pivy-ca: include SPKI extension on subordinate CAs
• certs: include keyEncipherment KU on RSA computer certs (so they can be used for IKE)
• pivy-tool: init command crashes on some errors
• updated bundled libressl to 3.9.2, openssh to 9.9p1
• CBMC formal verification of some components (a decent chunk of the code which runs unconditionally against device-provided data is now being formally verified): TLV parser, PIV RTS parser, cardcap parser, CHUID parser, FASC-N parser

v0.11.2

• piv: better error messages on invalid PIN cowardice (#41)
• piv: handle "no readers" errors better, stops agent from getting lost
• pivy-agent: slot spec parser error message improvements
• pivy-agent: support for using notify-send as SSH_CONFIRM
• update bundled libressl to 3.8.2, openssh to 9.5p1 (fixes build issues with new versions of zlib)
• illumos: fix race applying socket_owner/socket_mode SMF properties in pivy-agent service

v0.11.1

Bugs fixed:

• pivy-ca/box/luks/zfs: possible use-after-free leading to segfault in recovery mode
• pivy-box/luks/zfs: reading in PINs on Linux initrd console (without a /dev/tty) was broken
• pivy-ca: OpenBSD getopt issues in "pivy-ca shell"
• pivy-agent: wake-up deadline calculation was busted, leading to high CPU usage

v0.11.0

New features:

• Update to OpenSSH 9.2, LibreSSL 3.7.0
• pivy-agent: new -u/-z option to whitelist other UIDs/ZIDs for access
• pivy-agent: x509-certs extension support
• pivy-agent: sign-prehash extension support
• pivy-agent: support for exename checking on OpenBSD

Bugs fixed:

• pivy-ca: fixes for provisioning new CAs
• all tools: switch to getpassphrase() and handle ctrl+C properly
• pivy-tool: "setup" command is now much safer
• pivy-agent: fix denied connections (due to wrong UID) closing listen sock
• pivy-box: fix garbage slot IDs when parsing keywords form of template
• pivy-tool: remove invalid algo from help text
• piv: parse deprecated "Auth Key Map" element in CHUID
• illumos: SMF method improvements

v0.10.0

New features:

• Added the pivy-ca tool, which manages a basic X.509 CA on a PIV device
• pivy-agent now supports the OpenSSH sessbind extension for detecting forwarded agent connections
• pivy-tool accepts and produces PEM as well as DER for certificate-related commands
• Added pivy-tool list -j to produce JSON output
• pivy-box can import configs from another template in edit -i mode
• illumos binaries are now built against the system libpcsc and have CTF information

Bugs fixed:

• Build issue on some new versions of libbsd (e.g. on ArchLinux)
• pivy-tool fix for MS SID extension in user-auth certs being generated incorrectly
• pivy-agent and pivy-tool no longer reset the card after every transaction if they can clear PIN state instead
• PIV spec: handle 6A88 status words properly on PIN commands
• pivy-tool: fix generate on non-contiguous retired key slots

v0.9.0

New features:

• Support for building with LibreSSL 3.5.2 / OpenSSL 3.x
• pivy-tool can parse and display the PIV Printed Info object, as well as new info from the CHUID file (FASC-N etc)
• pivy-tool req-cert and pivy-tool write-cert commands
• Finer control over the certificates generated by pivy-tool using -D and -T, and support for KRB5 PKINIT SANs

Bugs fixed:

• pivy-agent is now strict about device disconnection time before it drops a cached PIN
• pivy-zfs rekey is now panic-safe
• Incorrectly generated length tags (used longer encoding than necessary) in some PIV objects are now correct
• pivy-box now strips off --Begin-- and --End-- noise on challenges when pasted on stdin

Also note that the -src tarball on the Releases page now contains LibreSSL and OpenSSH already downloaded and extracted, so you can do self-contained builds from it.

v0.8.0

New features:

• 4-digit PINs (on supported cards)
• AES algorithms for admin key (works with PivApplet, maybe others)
• pivy-agent: SSH_NOTIFY_SEND can now be set to receive desktop notifications when touch input may be required
• pivy-zfs: can now use pivy-zfs rekey <fs> without a template to generate a new key with the same configs as the current ebox
• pivy-zfs: now falls back to looking at the com.joyent.kbm:ebox property if rfd77:ebox is not available

Bugfixes:

• Support for some Gemalto cards which send a nested tag in APT/RTS
• Allow multiple 'AC' tags in RTS (fixes "algorithms" output on latest PivApplet)

v0.7.0

New features:

• pivy-box: "key unlock" and "stream decrypt" can now accept a filename argument instead of reading stdin (and will include that filename in any generated recovery challenge-responses)
• pivy-box: can now find templates at multiple paths, including in a system directory. On Linux, the default dir for new templates is now $HOME/.config/pivy/tpl and on OSX $HOME/Library/Preferences/pivy/tpl (the old directories will still be checked for templates)
• pivy-agent: in -C mode, PID authorizations are now cached for 15 seconds (makes Manta tools especially nicer to use)
• pivy-tool: add "update-keyhist" command, which scans all retired key slots and re-generates the PIV Key History object, to fix un-detected keys in retired key slots

Bug fixes:

• All tools: now support using metadata/attestation information to detect when touch confirmation is required for a key and emit prompts to match. PIN prompting should now occur before touch.
• Fix for some issues around using multiple local devices in order (e.g. in the same card reader) with pivy-box recovery

v0.6.1

• Bug fixes
  • pivy-agent: fix for parsing errors in pivy-agent -S arguments (sensitivity to argument ordering etc)
  • pivy-box: performance improvements with large numbers of configs (and large numbers of tokens on system)
  • pivy-agent: re-establish new PCSC context on some errors automatically: fixes hangs and errors on MacOS Catalina and enables pivy-agent to continue running after a restart of pcscd on Linux.