Skip to content

Releases: solokeys/solo1


12 Oct 04:13
Choose a tag to compare
  • This fixes an incorrect ordering leading to the user id not being returned when it should be when an rk credential is matched to a specified allow_list :)

Fix issue with allow_list & rk credential (re-release)

10 Oct 19:25
Choose a tag to compare

Fixes a small issue where if an allow_list is specified and rk credentials are matched, all of them would get returned. The correct behavior is to only return one.

Thanks to @drbinson of @MeaVitae for finding this and making a great demo:

This is replacing 4.1.3 where I mistakenly compiled the firmware with the button disabled.

Fix user info returned for RK credential specified by allowList

23 Mar 03:22
Choose a tag to compare

This is a minor release that fixes an issue where the User ID for a given credential wasn't being returned where it should be. This is when a RK credential is being used as specified from the allowList in a getAssertion request.

Minor change to fix boot issue on some devices

03 Feb 06:52
Choose a tag to compare

Minor change, please check notes in 4.1.0 release.

This update fixes the initialization order of the device so that some devices no longer run into a boot issue (#516).

Bug fixes and Ed255

30 Jan 04:17
Choose a tag to compare

This release has a number of bug fixes and adds support for Ed255 for FIDO2, thanks to the great work by @enrikb.

  • Add Ed255 support for FIDO2 #478.
  • Adjustments to make fault injection attacks more difficult #504.
  • Fix incorrect logic and memmove that caused UV not to get set #493.
  • Fix incorrect cbor ordering regarding credProtect and hmac-secret extension #508 (thanks @aseigler, @timcappalli for finding & reporting).
  • Build & documentation improvements #509, #495, #490, #485, #482

Note there was an initial 4.1.0 release for a few hours which contained a build issue, and has been updated.

Credential management and credProtect added

27 Mar 15:28
Choose a tag to compare

After discussion with @nickray, I'm making this a major version release and deleting the old 3.2.0, because it will likely void any existing RK credentials on your solo device when updating from <4.0.0.

Warning: After this update, any existing RK's on your device will likely not work anymore. If you're not sure about what RK/resident-key is, then you probably do not have any and do not need to worry.

Additional improvements from (now defunct) 3.2.0 release:

  • Bug fixes to credMgmt (#404)
  • Allow depth-first-search when enumerating credentials (#406)

Two big features added in this release:

  • Credential management (able to enumerate and delete resident key credentials).
  • credProtect extension (able to enforce UV on specific credentials)


  • add cred protect extension
  • Fix issues with RK buffer handling
  • Fix issue with credentials being ordered incorrectly for getAssertion's
  • Fix issue with extensions not being applied to getNextAssertion assertions.
  • Fix issue with some getNextAssertions not signing correct rpIdHash.
  • Refactor + bugfix credential management
  • Add delete command for credential management
  • Add user presence check if a credential is excluded during makeCredential step
  • Add custom vendor command for rebooting device to allow easier testing.
  • Fix regression with user presence being collected twice in some cases.

This has been successfully tested for Microsoft / Azure AD compatibility.

Public tests have been added to fido2-tests.

Thank you to @rgerganov for his contributions on credential management and fixing bugs (#392, #398, #391, #404).

Thank you to @My1 for help testing and providing logs.

Fix version not correctly positioned in build

16 Mar 19:04
Choose a tag to compare

The last 3.1.2 could not be updated on most authenticators with version checking due to an error in the build not putting the version in correctly. This corrects the issue.

Thank you to @schwarzeh for mailing me a key to reproduce the issue.

Fix potential CBOR parsing safety issues

27 Feb 20:49
Choose a tag to compare

As discovered in our security audit by DoyenSec, there were some potential cbor safety issues, the largest being there wasn't a proper recursion limit to one of the methods we were using from tinycbor. Now that has been fixed.

Minor fixes to 3.1.0

13 Feb 22:28
Choose a tag to compare
  • Initialize variable to avoid potential version bypass in bootloader
  • Add a command to support users locking flash that have been locked out from the normal process.

Fix version bypass in bootloader

06 Feb 18:33
Choose a tag to compare

This fixes in issue in the Solo bootloader that allows an old signed-firmware version to be programmed on secured solo builds.

Thanks to @fcremo and @ikkisoft of Doyensec for the security audit and catching this!