NK3: use device-specific branding and PIN labels consistently across codebase#2088
Merged
tlaurion merged 1 commit intolinuxboot:masterfrom Apr 17, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Aligns initrd UX messaging and flows with device-specific branding (e.g., Nitrokey 3 “Secrets app” terminology) and makes HOTP/GPG prompts/reporting consistently use $DONGLE_BRAND, while also adjusting HOTP PIN attempt handling to account for NK3’s higher retry counter.
Changes:
- Centralizes/expands
$DONGLE_BRANDusage across integrity reporting, GUI flows, and OEM reset messaging. - Updates HOTP sealing prompts to use device-appropriate PIN labels (“Secrets app” vs “GPG Admin”) and adds dynamic max-attempt calculation after re-reading retries.
- Ensures branding detection is performed early in additional entry points (e.g., OEM factory reset, integrity report path).
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Detect branding early in integrity report and replace hardcoded token/dongle wording with $DONGLE_BRAND throughout report + prompts. |
| initrd/etc/functions.sh | Adds skip/guard logic + USB enabling inside detect_usb_security_dongle_branding, and ensures confirm_gpg_card sets branding before prompting. |
| initrd/bin/seal-hotpkey.sh | Uses device-specific PIN label strings and introduces dynamic user-attempt limiting based on re-read retry counter. |
| initrd/bin/oem-factory-reset.sh | Detects branding at script start and updates several user-facing strings/logs to use $DONGLE_BRAND. |
| initrd/bin/gui-init.sh | Rebrands sealing gate and GPG-key-missing prompts/titles/messages to consistently use $DONGLE_BRAND. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
fix_nk3_secrets_app-not-GPG_admin_pin
branch
from
5460a83 to
0de0648
Compare
There was a problem hiding this comment.
Pull request overview
This PR standardizes user-facing branding and PIN terminology across the initrd scripts, with special handling for Nitrokey 3 (“Secrets app” PIN semantics and higher retry counters) while replacing hardcoded “USB security dongle/TOKEN” strings with $DONGLE_BRAND throughout relevant flows.
Changes:
- Use
$DONGLE_BRANDconsistently in status/prompt/error strings across GUI and factory-reset flows. - Normalize PIN labeling to device-appropriate terminology (“Secrets app” for NK3, “GPG Admin” for older devices) and adjust retry-attempt prompting behavior in
seal-hotpkey.sh. - Centralize/ensure branding detection occurs early in additional entry points and helper wrappers.
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Integrity report messaging updated to use $DONGLE_BRAND consistently for HOTP and signing-key UX. |
| initrd/etc/functions.sh | Branding detection helper updated (guarding redundant detection; now calls enable_usb) and branding used in a GPG backup prompt. |
| initrd/bin/seal-hotpkey.sh | PIN labeling updated; retry loop changed to compute dynamic max attempts after re-reading counters. |
| initrd/bin/oem-factory-reset.sh | Detect branding early; replace several hardcoded dongle strings with $DONGLE_BRAND; minor comment casing fix. |
| initrd/bin/gui-init.sh | Reseal + signing-key-related prompts/titles updated to use $DONGLE_BRAND. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
fix_nk3_secrets_app-not-GPG_admin_pin
branch
from
0de0648 to
acc22b5
Compare
There was a problem hiding this comment.
Pull request overview
This PR standardizes user-facing terminology around USB dongle branding and PIN labels (notably Nitrokey 3 “Secrets app” wording) and adjusts HOTP PIN retry handling to better match device-specific retry counters while keeping the UX consistent across devices.
Changes:
- Use
$DONGLE_BRANDbroadly in status/prompt/error strings instead of hardcoded “USB security dongle”/“TOKEN” wording. - Ensure branding detection is run from key entry points and is available before UI messaging.
- Update HOTP sealing flow to re-read PIN retry counters after default PIN usage and cap interactive retries dynamically.
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Updates integrity report messaging to use $DONGLE_BRAND and runs branding detection early in the function. |
| initrd/etc/functions.sh | Updates branding detection behavior (skip redundant re-detect, call enable_usb internally) and uses $DONGLE_BRAND in a signing PIN prompt. |
| initrd/bin/seal-hotpkey.sh | Switches PIN labeling to device-appropriate wording and introduces dynamic retry limiting logic. |
| initrd/bin/oem-factory-reset.sh | Detects branding at script start and replaces several hardcoded “USB Security dongle” strings with $DONGLE_BRAND. |
| initrd/bin/gui-init.sh | Updates sealing/instructions prompts and dialog titles to reference $DONGLE_BRAND. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
fix_nk3_secrets_app-not-GPG_admin_pin
branch
from
acc22b5 to
d768d53
Compare
There was a problem hiding this comment.
Pull request overview
Updates initrd UX and scripting to consistently use device-specific branding ($DONGLE_BRAND) and correct PIN terminology (NK3 “Secrets app” vs legacy “GPG Admin”), and improves HOTP sealing attempt handling.
Changes:
- Standardize user-facing messages/prompts/status outputs to use
$DONGLE_BRANDand device-appropriate PIN labels. - Adjust HOTP sealing flow to compute a dynamic max attempt count after a default-PIN try and refresh retry counters.
- Centralize/expand branding detection in key entry points and integrity-report generation.
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Integrity report: use $DONGLE_BRAND for HOTP/signing-key messaging and run branding detection early. |
| initrd/etc/functions.sh | Branding detection now has a skip guard and is used by confirm_gpg_card; prompts reference $DONGLE_BRAND. |
| initrd/bin/seal-hotpkey.sh | Uses device-specific PIN label in prompts/status; adds dynamic max-attempt calculation. |
| initrd/bin/oem-factory-reset.sh | Ensures branding detected early; updates several dialogs/log lines to use $DONGLE_BRAND. |
| initrd/bin/gui-init.sh | Uses $DONGLE_BRAND consistently in sealing gate and signing-key retry dialogs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
fix_nk3_secrets_app-not-GPG_admin_pin
branch
from
d768d53 to
08f25b1
Compare
There was a problem hiding this comment.
Pull request overview
This PR standardizes user-facing UX strings around USB security dongle branding and device-specific PIN terminology (notably Nitrokey 3 “Secrets app” PIN), and refines the HOTP sealing flow to account for different retry counters across devices.
Changes:
- Replace hardcoded “USB security dongle” / “TOKEN” / “GPG Admin PIN” messaging with
$DONGLE_BRANDand a device-appropriate PIN label. - Centralize/normalize branding detection across entry points and integrity-report generation.
- Adjust
seal-hotpkey.shto cap manual PIN entry attempts based on the current retry counter (with device-specific defaults/notes).
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Uses $DONGLE_BRAND throughout integrity-report HOTP/signing-key UX and ensures branding detection is invoked for the report flow. |
| initrd/etc/functions.sh | Updates detect_usb_security_dongle_branding to internally initialize USB and skip redundant lsusb scans; updates prompts to use $DONGLE_BRAND. |
| initrd/bin/seal-hotpkey.sh | Introduces device-specific PIN labels (“Secrets app” vs “GPG Admin”) and dynamic attempt limiting based on retry counters. |
| initrd/bin/oem-factory-reset.sh | Detects branding early and updates several user/debug strings to use $DONGLE_BRAND consistently. |
| initrd/bin/gui-init.sh | Updates sealing gate + GPG-key-missing prompts to use $DONGLE_BRAND consistently. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…codebase The NK3 uses 'Secrets app' terminology and has 8 PIN retry attempts (vs 3 for older devices), but the codebase had inconsistent UX messaging that referred to 'GPG Admin PIN', 'USB security dongle', 'TOKEN', etc. instead of the actual brand and PIN type. Fix 1: PIN label - $prompt_message is used in all user-facing strings (status, prompts, error messages, reminder note) with correct value: 'Secrets app' for NK3, 'GPG Admin' for older devices. Fix 2: Dynamic attempt counting - after the default PIN trial consumes an attempt, re-read the counter and limit user attempts to min(retries-1, 3). If the counter read is unreliable (0 or 1), fall back to 3 attempts so the user is never blocked from sealing. Documented with example outcomes for NK3 (8 retries) and pre-NK3 (3 retries). Fix 3: NK3-specific error message now references 'Secrets app PIN' instead of 'GPG Admin PIN' in the PIN reset instructions. Fix 4: Use $DONGLE_BRAND consistently in all USB security dongle messaging (STATUS, prompts, dialog titles, guidance strings, integrity report, DEBUG logs, error messages, NOTES) instead of hardcoded 'USB security dongle', 'OpenPGP signing card', 'GPG security dongle', 'dongle', 'signing card', 'Dongle key'. Also replaces 'TOKEN' in hotp_state/hotp_display with $DONGLE_BRAND so integrity report shows actual brand (e.g. 'Nitrokey 3 PRESENT' instead of 'TOKEN PRESENT'). Fix 5: Centralize branding detection in standalone script entry points: - gui-init.sh: already detects at boot flow entry (line ~965) - oem-factory-reset.sh: added detection at script start (was missing) - confirm_gpg_card: detects for gpg-gui.sh and kexec-sign-config.sh - report_integrity_measurements: detects for hotp/gpg flow - seal-hotpkey.sh: has its own detection at script start Fix 6: detect_usb_security_dongle_branding now guards against redundant re-detection while preserving USB init safety: it skips USB re-init and lsusb re-scan only when a specific DONGLE_BRAND is already set and _USB_ENABLED=y in the current process. In child scripts that inherit DONGLE_BRAND but reset _USB_ENABLED, it still runs enable_usb, then returns without re-scan if branding is already specific. Fix 7: Comment casing fix in oem-factory-reset.sh (Secrets App -> Secrets app) to match user-facing strings and hotp_verification output. Fix 8: Remove duplicate show_pin_retries call before PIN entry loop in seal-hotpkey.sh. The function was being called twice before the first prompt (once before the loop, once at loop start), showing 'Nitrokey 3 Secrets app PIN retries remaining: 8' twice. Fix 9: Clarify and enforce fast-path behavior for detect_usb_security_dongle_branding in mixed parent/child script contexts: avoid redundant module loads and scans in the same process, but do not skip USB initialization when only branding is inherited. Fix 10: detect_usb_security_dongle_branding now reuses wait_for_usb_devices after enable_usb only when USB was not already initialized in the current process. This avoids early lsusb enumeration races without regressing the no-redundant-load/no-re-scan fast path. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
fix_nk3_secrets_app-not-GPG_admin_pin
branch
from
08f25b1 to
bd0f786
Compare
There was a problem hiding this comment.
Pull request overview
This PR standardizes user-facing branding/PIN terminology across the initrd GUI and provisioning flows (notably Nitrokey 3 “Secrets app” wording), and refines HOTP PIN retry handling to better match device-specific retry counters.
Changes:
- Centralizes/extends device branding detection and switches UI strings from hardcoded “USB security dongle”/“GPG Admin PIN” to
$DONGLE_BRANDand device-appropriate PIN labels. - Updates integrity reporting and sealing prompts to consistently reflect the detected device brand.
- Adds dynamic HOTP PIN attempt limiting logic in
seal-hotpkey.shbased on re-read retry counters after the default PIN attempt.
Reviewed changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Uses $DONGLE_BRAND throughout integrity-report UX and initializes branding early in the report flow. |
| initrd/etc/functions.sh | Adds a fast-path to detect_usb_security_dongle_branding and ensures callers (e.g., confirm_gpg_card) set branding before prompts. |
| initrd/bin/seal-hotpkey.sh | Switches PIN labeling to device-appropriate terms and introduces dynamic retry/attempt limiting after default PIN use. |
| initrd/bin/oem-factory-reset.sh | Ensures branding is detected early and updates some NK3 reset UX strings to use $DONGLE_BRAND. |
| initrd/bin/gui-init.sh | Replaces generic “USB security dongle” text with $DONGLE_BRAND in gating/prompt messages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
added a commit
to tlaurion/heads
that referenced
this pull request
Apr 20, 2026
…ot-GPG_admin_pin NK3: use device-specific branding and PIN labels consistently across codebase
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The NK3 uses 'Secrets app' terminology and has 8 PIN retry attempts (vs 3 for older devices), but the codebase had inconsistent UX messaging that referred to 'GPG Admin PIN', 'USB security dongle', 'TOKEN', etc. instead of the actual brand and PIN type.
Fix 1: PIN label - $prompt_message is used in all user-facing strings (status, prompts, error messages, reminder note) with correct value: 'Secrets app' for NK3, 'GPG Admin' for older devices.
Fix 2: Dynamic attempt counting - after the default PIN trial consumes an attempt, re-read the counter and limit user attempts to min(retries-1, 3). If the counter read is unreliable (0 or 1), fall back to 3 attempts so the user is never blocked from sealing. Documented with example outcomes for NK3 (8 retries) and pre-NK3 (3 retries).
Fix 3: NK3-specific error message now references 'Secrets app PIN' instead of 'GPG Admin PIN' in the PIN reset instructions.
Fix 4: Use $DONGLE_BRAND consistently in all USB security dongle messaging (STATUS, prompts, dialog titles, guidance strings, integrity report, DEBUG logs, error messages, NOTES) instead of hardcoded 'USB security dongle', 'OpenPGP signing card', 'GPG security dongle', 'dongle', 'signing card', 'Dongle key'. Also replaces 'TOKEN' in hotp_state/hotp_display with $DONGLE_BRAND so integrity report shows actual brand (e.g. 'Nitrokey 3 PRESENT' instead of 'TOKEN PRESENT').
Fix 5: Centralize branding detection in standalone script entry points:
Fix 6: detect_usb_security_dongle_branding now guards against redundant re-detection while preserving USB init safety: it skips USB re-init and lsusb re-scan only when a specific DONGLE_BRAND is already set and _USB_ENABLED=y in the current process. In child scripts that inherit DONGLE_BRAND but reset _USB_ENABLED, it still runs enable_usb, then returns without re-scan if branding is already specific.
Fix 7: Comment casing fix in oem-factory-reset.sh (Secrets App -> Secrets app) to match user-facing strings and hotp_verification output.
Fix 8: Remove duplicate show_pin_retries call before PIN entry loop in seal-hotpkey.sh. The function was being called twice before the first prompt (once before the loop, once at loop start), showing 'Nitrokey 3 Secrets app PIN retries remaining: 8' twice.
Fix 9: Clarify and enforce fast-path behavior for detect_usb_security_dongle_branding in mixed parent/child script contexts: avoid redundant module loads and scans in the same process, but do not skip USB initialization when only branding is inherited.
Fix 10: detect_usb_security_dongle_branding now reuses wait_for_usb_devices after enable_usb only when USB was not already initialized in the current process. This avoids early lsusb enumeration races without regressing the no-redundant-load/no-re-scan fast path.
Tested with Nitrokey3NFC, Canokey on HOTP/non-HOTP qemu. oem-factory-reset on canokey, tpm reset on HOTP + TPK DUK setup + boot into Debian 13 DVD installation (proper default install (unencrypted /boot + LUKS install):