qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard
verified publisher icon QubesOS

fido2 implementation breaks on Debian-based sys-usb

Open ctr49 opened this issue 2 years ago • 4 comments

It seems #31 requires python3-fido2 >= 1.0.0 (only then AttestationResponse was introduced for tap).

However, Debian ships with lower versions (Bullseye with 0.8.1, Bookworm with 0.9.1) so this will not work on a Debian-based sys-usb.

Originally posted by @ctr49 in https://github.com/QubesOS/qubes-app-u2f/issues/31#issuecomment-1704352667

ctr49 avatar Sep 19 '23 10:09 ctr49

Does this affect 4.1 or 4.2 (or both)?

andrewdavidwong avatar Sep 19 '23 13:09 andrewdavidwong

Ah, looks like both.

andrewdavidwong avatar Sep 19 '23 14:09 andrewdavidwong

On Debian 12 (stable, bookworm), we've added newer python-fido2 to our repository. On older Debian it isn't that easy, so it's going to stay on older qubes-u2f package. On R4.1, qubes-ctap never went out of testing repository, so users with Debian 11 and just stable repositories are unaffected.

But those with Debian 11 having either testing repositories enabled, or having R4.2 already (where qubes-ctap landed in stable repo) will need to downgrade qubes-u2f package on debian-11 manually. I haven't tested it, but something like this should work:

apt-get update
apt-get remove qubes-ctap
apt-get --allow-downgrades install "qubes-u2f=1.*"

marmarek avatar Sep 20 '23 03:09 marmarek

Since R4.2 only support Debian 12 and this issue is fixed in Debian 12, I think "affect-4.2" can be removed.

zpc0 avatar Feb 18 '24 09:02 zpc0