Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:tkey-ssh-agent User: [email protected] Usertags: pu
[ Reason ] Hi! This is the second part of https://bugs.debian.org/1131028 Upstream has provided an advisory: https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v While this could be handled by a security patch, due to the complexity of upstream's recommended solution (involving patches to both 'golang-github-tillitis-tkeyclient' and 'tkey-ssh-agent') and low end-user impact, it was suggested on #debian-security to use the proposed-updated mechanism instead to update both packages to latest upstream version. I'm attaching the debdiff between tkey-ssh-agent 1.0.0 and 1.1.0 in unstable, and I suggest something similar could be uploaded to trixie-proposed-updates. What do you think? Is this an acceptable way to resolve this? If so I can prepare the final real version of these packages. [ Impact ] If this isn't adopted, one out of 256 users that provides a USS secret will not actually make use of the USS, thus possibly lowering their perceived security. [ Tests ] This is upstream patches, so presumably well tested. [ Risks ] There is always a risk upstream's patches are buggy and cause unrelated problems. [ Checklist ] [ ] *all* changes are documented in the d/changelog [ ] I reviewed all changes and I approve them [ ] attach debdiff against the package in (old)stable [ ] the issue is verified as fixed in unstable [ Changes ] (Explain *all* the changes) [ Other info ] (Anything else the release team should know.)
diff -Nru tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/listen_unix.go tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/listen_unix.go
--- tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/listen_unix.go 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/listen_unix.go 2026-03-16 14:10:28.000000000 +0100
@@ -16,7 +16,7 @@
l, err := net.Listen("unix", path)
if err != nil {
- return nil, fmt.Errorf("Listen: %w", err)
+ return nil, fmt.Errorf("listen: %w", err)
}
return l, nil
}
diff -Nru tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/main.go tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/main.go
--- tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/main.go 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/main.go 2026-03-16 14:10:28.000000000 +0100
@@ -37,7 +37,7 @@
var agentPath, devPath, fileUSS, pinentry string
var speed int
- var enterUSS, showPubkeyOnly, listPortsOnly, versionOnly, helpOnly bool
+ var enterUSS, forceFullUSS, showPubkeyOnly, listPortsOnly, versionOnly, helpOnly bool
pflag.CommandLine.SetOutput(os.Stderr)
pflag.CommandLine.SortFlags = false
pflag.CommandLine.SetNormalizeFunc(func(_ *pflag.FlagSet, name string) pflag.NormalizedName {
@@ -55,12 +55,14 @@
"List possible serial ports to use with --port.")
pflag.StringVar(&devPath, "port", "",
"Set serial port device `PATH`. If this is not passed, auto-detection will be attempted.")
- pflag.IntVar(&speed, "speed", tkeyclient.SerialSpeed,
+ pflag.IntVar(&speed, "speed", 0,
"Set serial port speed in `BPS` (bits per second).")
pflag.BoolVar(&enterUSS, "uss", false,
"Enable typing of a phrase to be hashed as the User Supplied Secret. The USS is loaded onto the TKey along with the app itself. A different USS results in different SSH public/private keys, meaning a different identity.")
pflag.StringVar(&fileUSS, "uss-file", "",
"Read `FILE` and hash its contents as the USS. Use '-' (dash) to read from stdin. The full contents are hashed unmodified (e.g. newlines are not stripped).")
+ pflag.BoolVar(&forceFullUSS, "force-full-uss", false,
+ "Force use of 32 byte USS digest. Default is 31.")
pflag.StringVar(&pinentry, "pinentry", "",
"Pinentry `PROGRAM` for use by --uss. The default is found by looking in your gpg-agent.conf for pinentry-program, or 'pinentry' if not found there. On Windows, an attempt is made to find Gpg4win's pinentry program to use as default.")
pflag.BoolVar(&versionOnly, "version", false, "Output version information.")
@@ -150,7 +152,7 @@
prevExitFunc(code)
}
- signer := NewSigner(devPath, speed, enterUSS, fileUSS, pinentry, exit)
+ signer := NewSigner(devPath, speed, enterUSS, fileUSS, forceFullUSS, pinentry, exit)
if showPubkeyOnly {
if !signer.connect() {
@@ -209,7 +211,7 @@
func printPorts() (int, error) {
ports, err := tkeyclient.GetSerialPorts()
if err != nil {
- return 0, fmt.Errorf("Failed to list ports: %w", err)
+ return 0, fmt.Errorf("failed to list ports: %w", err)
}
if len(ports) == 0 {
le.Printf("No TKey serial ports found.\n")
diff -Nru tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/signer.go tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/signer.go
--- tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/signer.go 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/signer.go 2026-03-16 14:10:28.000000000 +0100
@@ -52,13 +52,14 @@
speed int
enterUSS bool
fileUSS string
+ forceFullUSS bool
pinentry string
mu sync.Mutex
connected bool
disconnectTimer *time.Timer
}
-func NewSigner(devPathArg string, speedArg int, enterUSS bool, fileUSS string, pinentry string, exitFunc func(int)) *Signer {
+func NewSigner(devPathArg string, speedArg int, enterUSS bool, fileUSS string, forceFullUSS bool, pinentry string, exitFunc func(int)) *Signer {
var signer Signer
tkeyclient.SilenceLogging()
@@ -67,13 +68,14 @@
tkSigner := tkeysign.New(tk)
signer = Signer{
- tk: tk,
- tkSigner: &tkSigner,
- devPath: devPathArg,
- speed: speedArg,
- enterUSS: enterUSS,
- fileUSS: fileUSS,
- pinentry: pinentry,
+ tk: tk,
+ tkSigner: &tkSigner,
+ devPath: devPathArg,
+ speed: speedArg,
+ enterUSS: enterUSS,
+ fileUSS: fileUSS,
+ forceFullUSS: forceFullUSS,
+ pinentry: pinentry,
}
// Do nothing on HUP, in case old udev rule is still in effect
@@ -120,8 +122,18 @@
le.Printf("Auto-detected serial port %s\n", devPath)
}
+ options := []func(*tkeyclient.TillitisKey){}
+
+ if s.speed != 0 {
+ options = append(options, tkeyclient.WithSpeed(s.speed))
+ }
+
+ if s.forceFullUSS {
+ options = append(options, tkeyclient.WithFullUss())
+ }
+
le.Printf("Connecting to TKey on serial port %s\n", devPath)
- if err := s.tk.Connect(devPath, tkeyclient.WithSpeed(s.speed)); err != nil {
+ if err := s.tk.Connect(devPath, options...); err != nil {
notify(fmt.Sprintf("Could not connect to a TKey on port %v.", devPath))
le.Printf("Failed to connect: %v", err)
return false
@@ -182,20 +194,20 @@
if s.enterUSS {
udi, err := s.tk.GetUDI()
if err != nil {
- return fmt.Errorf("Failed to get UDI: %w", err)
+ return fmt.Errorf("failed to get UDI: %w", err)
}
secret, err = getSecret(udi.String(), s.pinentry)
if err != nil {
notify(fmt.Sprintf("Could not show USS prompt: %s", errors.Unwrap(err)))
- return fmt.Errorf("Failed to get USS: %w", err)
+ return fmt.Errorf("failed to get USS: %w", err)
}
} else if s.fileUSS != "" {
var err error
secret, err = tkeyutil.ReadUSS(s.fileUSS)
if err != nil {
notify(fmt.Sprintf("Could not read USS file: %s", err))
- return fmt.Errorf("Failed to read uss-file %s: %w", s.fileUSS, err)
+ return fmt.Errorf("failed to read uss-file %s: %w", s.fileUSS, err)
}
}
@@ -286,7 +298,7 @@
func (s *Signer) Sign(_ io.Reader, message []byte, opts crypto.SignerOpts) ([]byte, error) {
if !s.connect() {
- return nil, fmt.Errorf("Connect failed")
+ return nil, fmt.Errorf("connect failed")
}
defer s.disconnect()
diff -Nru tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/sshagent.go tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/sshagent.go
--- tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent/sshagent.go 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent/sshagent.go 2026-03-16 14:10:28.000000000 +0100
@@ -43,7 +43,7 @@
for {
conn, err := listener.Accept()
if err != nil {
- return fmt.Errorf("Accept: %w", err)
+ return fmt.Errorf("accept: %w", err)
}
le.Printf("Handling a client connection\n")
go s.handleConn(conn)
@@ -51,7 +51,7 @@
}
func (s *SSHAgent) handleConn(c net.Conn) {
- if err := agent.ServeAgent(s, c); !errors.Is(io.EOF, err) {
+ if err := agent.ServeAgent(s, c); !errors.Is(err, io.EOF) {
le.Printf("Agent client connection ended with error: %s\n", err)
}
}
diff -Nru tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent-tray/main.go tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent-tray/main.go
--- tkey-ssh-agent-1.0.0+ds/cmd/tkey-ssh-agent-tray/main.go 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/cmd/tkey-ssh-agent-tray/main.go 2026-03-16 14:10:28.000000000 +0100
@@ -30,6 +30,8 @@
mainExe = "tkey-ssh-agent.exe"
)
+var version string
+
var notify = func(msg string) {
tkeyutil.Notify(progname, msg)
}
@@ -40,6 +42,10 @@
os.Exit(1)
}
+ if version == "" {
+ version = "unknown" // The version should be set from make during build.
+ }
+
// We're not supposed to be run in a console , but if we still are
// then try to get our output into it
if err := fixconsole.FixConsoleIfNeeded(); err != nil {
@@ -122,10 +128,11 @@
GNU General Public License v2.0 only
unless otherwise noted in the source code.
-Source repository: https://github.com/tillitis/tillitis-key1-apps
+Source repository: https://github.com/tillitis/tkey-ssh-agent
Tillitis: https://www.tillitis.se
-Running: %s`, mainCmdLine))
+Version: %s
+Running: %s`, version, mainCmdLine))
}
}()
diff -Nru tkey-ssh-agent-1.0.0+ds/debian/changelog tkey-ssh-agent-1.1.0+ds/debian/changelog
--- tkey-ssh-agent-1.0.0+ds/debian/changelog 2026-02-13 10:24:05.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/debian/changelog 2026-03-16 22:36:33.000000000 +0100
@@ -1,3 +1,9 @@
+tkey-ssh-agent (1.1.0+ds-1) UNRELEASED; urgency=medium
+
+ * Use gbp sign-tags and upstream-vcs-tag
+
+ -- Simon Josefsson <[email protected]> Mon, 16 Mar 2026 22:36:33 +0100
+
tkey-ssh-agent (1.0.0+ds-6) unstable; urgency=medium
* Team upload
diff -Nru tkey-ssh-agent-1.0.0+ds/debian/control tkey-ssh-agent-1.1.0+ds/debian/control
--- tkey-ssh-agent-1.0.0+ds/debian/control 2026-02-12 17:53:10.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/debian/control 2026-03-16 22:36:33.000000000 +0100
@@ -8,7 +8,7 @@
dh-sequence-golang,
golang-any,
golang-github-spf13-pflag-dev,
- golang-github-tillitis-tkeyclient-dev,
+ golang-github-tillitis-tkeyclient-dev (>> 1.3.0~),
golang-github-tillitis-tkeysign-dev,
golang-github-tillitis-tkeyutil-dev,
golang-github-twpayne-go-pinentry-dev (>> 4.0.0~),
diff -Nru tkey-ssh-agent-1.0.0+ds/debian/gbp.conf tkey-ssh-agent-1.1.0+ds/debian/gbp.conf
--- tkey-ssh-agent-1.0.0+ds/debian/gbp.conf 2026-02-12 17:53:10.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/debian/gbp.conf 2026-03-16 22:36:03.000000000 +0100
@@ -1,3 +1,5 @@
[DEFAULT]
debian-branch = debian/sid
dist = DEP14
+sign-tags = True
+upstream-vcs-tag = v%(version%~%-)s
diff -Nru tkey-ssh-agent-1.0.0+ds/docs/release_notes.md tkey-ssh-agent-1.1.0+ds/docs/release_notes.md
--- tkey-ssh-agent-1.0.0+ds/docs/release_notes.md 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/docs/release_notes.md 2026-03-16 14:10:28.000000000 +0100
@@ -1,5 +1,16 @@
# Release notes
+## v1.1.0
+
+- Update tkeyclient version because of a vulnerability leaving some
+ USSs unused. Keys might have changed since earlier versions! Read
+ more here:
+
+ https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v
+
+- Add a new option flag: `--force-full-uss` to force full use of the
+ 32 byte USS digest.
+
## v1.0.0
- All other apps, libraries, and packages have moved to their own
diff -Nru tkey-ssh-agent-1.0.0+ds/.github/workflows/ci.yaml tkey-ssh-agent-1.1.0+ds/.github/workflows/ci.yaml
--- tkey-ssh-agent-1.0.0+ds/.github/workflows/ci.yaml 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/.github/workflows/ci.yaml 2026-03-16 14:10:28.000000000 +0100
@@ -13,7 +13,7 @@
build:
runs-on: ubuntu-latest
container:
- image: ghcr.io/tillitis/tkey-builder:4
+ image: ghcr.io/tillitis/tkey-builder:5rc2
steps:
- name: checkout
uses: actions/checkout@v4
diff -Nru tkey-ssh-agent-1.0.0+ds/.github/workflows/golangci-lint.yml tkey-ssh-agent-1.1.0+ds/.github/workflows/golangci-lint.yml
--- tkey-ssh-agent-1.0.0+ds/.github/workflows/golangci-lint.yml 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/.github/workflows/golangci-lint.yml 2026-03-16 14:10:28.000000000 +0100
@@ -18,15 +18,15 @@
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
- go-version: '1.21'
+ go-version: '1.23'
cache: false
- name: golangci-lint
- uses: golangci/golangci-lint-action@v3
+ uses: golangci/golangci-lint-action@v9
with:
# Require: The version of golangci-lint to use.
# When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
# When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
- version: v1.55.2
+ version: v2.4.0
# Optional: working directory, useful for monorepos
# working-directory: somedir
diff -Nru tkey-ssh-agent-1.0.0+ds/.golangci.yml tkey-ssh-agent-1.1.0+ds/.golangci.yml
--- tkey-ssh-agent-1.0.0+ds/.golangci.yml 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/.golangci.yml 2026-03-16 14:10:28.000000000 +0100
@@ -1,34 +1,89 @@
+version: "2"
linters:
- presets:
- # found in: golangci-lint help linters
- - bugs
- - comment
- - complexity
- - error
- - format
- - import
- - metalinter
- - module
- - performance
- - sql
- # - style # turned off, can be too much
- - test
- - unused
+ enable:
+ - asasalint
+ - asciicheck
+ - bidichk
+ - bodyclose
+ - contextcheck
+ - dupword
+ - durationcheck
+ - errchkjson
+ - errorlint
+ - exhaustive
+ - fatcontext
+ - gocheckcompilerdirectives
+ - gochecksumtype
+ - gocritic
+ - gocyclo
+ - godox
+ - gomoddirectives
+ - gomodguard
+ - gosec
+ - gosmopolitan
+ - loggercheck
+ - maintidx
+ - makezero
+ - misspell
+ - musttag
+ - nilerr
+ - nilnesserr
+ - paralleltest
+ - prealloc
+ - protogetter
+ - reassign
+ - recvcheck
+ - revive
+ - rowserrcheck
+ - spancheck
+ - sqlclosecheck
+ - testableexamples
+ - testifylint
+ - testpackage
+ - thelper
+ - tparallel
+ - unparam
+ - usetesting
+ - wrapcheck
+ - zerologlint
disable:
- cyclop
+ - depguard
+ - err113
+ - exhaustruct
- funlen
- gocognit
- - nestif
- - exhaustruct # TODO? annoying for now
- - goerr113 # TODO enable later
- godot
- - depguard
-
+ - nestif
+ - perfsprint
+ - noctx
+ settings:
+ govet:
+ enable:
+ - shadow
+ exclusions:
+ generated: lax
+ presets:
+ - comments
+ - common-false-positives
+ - legacy
+ - std-error-handling
+ paths:
+ - third_party$
+ - builtin$
+ - examples$
issues:
max-issues-per-linter: 0
max-same-issues: 0
-
-linters-settings:
- govet:
- enable:
- - shadow
+formatters:
+ enable:
+ - gci
+ - gofmt
+# - gofumpt
+ - goimports
+ exclusions:
+ generated: lax
+ paths:
+ - third_party$
+ - builtin$
+ - examples$
diff -Nru tkey-ssh-agent-1.0.0+ds/go.mod tkey-ssh-agent-1.1.0+ds/go.mod
--- tkey-ssh-agent-1.0.0+ds/go.mod 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/go.mod 2026-03-16 14:10:28.000000000 +0100
@@ -1,6 +1,6 @@
module github.com/tillitis/tkey-ssh-agent
-go 1.19
+go 1.23.0
require (
github.com/Microsoft/go-winio v0.6.1
@@ -8,16 +8,17 @@
github.com/getlantern/systray v1.2.1
github.com/spf13/pflag v1.0.5
github.com/tawesoft/golib/v2 v2.9.0
- github.com/tillitis/tkeyclient v1.0.0
+ github.com/tillitis/tkeyclient v1.3.0
github.com/tillitis/tkeysign v1.0.0
github.com/tillitis/tkeyutil v0.0.7
github.com/twpayne/go-pinentry-minimal v0.0.0-20220113210447-2a5dc4396c2a
- golang.org/x/crypto v0.22.0
+ golang.org/x/crypto v0.40.0
)
require (
github.com/alessio/shellescape v1.4.1 // indirect
github.com/apenwarr/w32 v0.0.0-20190407065021-aa00fece76ab // indirect
+ github.com/ccoveille/go-safecast/v2 v2.0.0 // indirect
github.com/creack/goselect v0.1.2 // indirect
github.com/gen2brain/beeep v0.0.0-20230907135156-1a38885a97fc // indirect
github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 // indirect
@@ -34,9 +35,10 @@
github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af // indirect
go.bug.st/serial v1.6.2 // indirect
golang.org/x/exp v0.0.0-20221208152030-732eee02a75a // indirect
- golang.org/x/mod v0.14.0 // indirect
- golang.org/x/sys v0.19.0 // indirect
- golang.org/x/term v0.19.0 // indirect
- golang.org/x/text v0.14.0 // indirect
- golang.org/x/tools v0.16.0 // indirect
+ golang.org/x/mod v0.25.0 // indirect
+ golang.org/x/sync v0.16.0 // indirect
+ golang.org/x/sys v0.34.0 // indirect
+ golang.org/x/term v0.33.0 // indirect
+ golang.org/x/text v0.27.0 // indirect
+ golang.org/x/tools v0.34.0 // indirect
)
diff -Nru tkey-ssh-agent-1.0.0+ds/.goreleaser.yaml tkey-ssh-agent-1.1.0+ds/.goreleaser.yaml
--- tkey-ssh-agent-1.0.0+ds/.goreleaser.yaml 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/.goreleaser.yaml 2026-03-16 14:10:28.000000000 +0100
@@ -1,4 +1,5 @@
# Make sure to check the documentation at https://goreleaser.com
+version: 2
release:
draft: true
replace_existing_draft: true
@@ -77,7 +78,7 @@
-w -X main.version={{ .Version }} -X main.signerAppNoTouch= -buildid=
hooks:
- pre: sh -c "cd ./cmd/tkey-ssh-agent && go-winres make --arch amd64"
+ pre: sh -c "cd ./cmd/tkey-ssh-agent && ../../gotools/go-winres make --arch amd64"
- id: windows-tray
main: ./cmd/tkey-ssh-agent-tray
@@ -99,13 +100,14 @@
# Custom ldflags mostly to avoid setting main.date which for some
# reason is default
ldflags:
- -w -H windowsgui -buildid=
+ -w -H windowsgui -X main.version={{ .Version }} -buildid=
hooks:
- pre: sh -c "cd ./cmd/tkey-ssh-agent-tray && go-winres make --arch amd64"
+ pre: sh -c "cd ./cmd/tkey-ssh-agent-tray && ../../gotools/go-winres make --arch amd64"
universal_binaries:
- - ids:
+ - id: tkey-ssh-agent
+ ids:
- darwin
replace: true
name_template: "tkey-ssh-agent"
@@ -220,7 +222,7 @@
checksum:
name_template: 'checksums.txt'
snapshot:
- name_template: "{{ incpatch .Version }}-next"
+ version_template: "{{ incpatch .Version }}-next"
changelog:
sort:
filters:
diff -Nru tkey-ssh-agent-1.0.0+ds/go.sum tkey-ssh-agent-1.1.0+ds/go.sum
--- tkey-ssh-agent-1.0.0+ds/go.sum 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/go.sum 2026-03-16 14:10:28.000000000 +0100
@@ -6,10 +6,13 @@
github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29/go.mod h1:JYWahgHer+Z2xbsgHPtaDYVWzeHDminu+YIBWkxpCAY=
github.com/apenwarr/w32 v0.0.0-20190407065021-aa00fece76ab h1:CMGzRRCjnD50RjUFSArBLuCxiDvdp7b8YPAcikBEQ+k=
github.com/apenwarr/w32 v0.0.0-20190407065021-aa00fece76ab/go.mod h1:nfFtvHn2Hgs9G1u0/J6LHQv//EksNC+7G8vXmd1VTJ8=
+github.com/ccoveille/go-safecast/v2 v2.0.0 h1:+5eyITXAUj3wMjad6cRVJKGnC7vDS55zk0INzJagub0=
+github.com/ccoveille/go-safecast/v2 v2.0.0/go.mod h1:JIYA4CAR33blIDuE6fSwCp2sz1oOBahXnvmdBhOAABs=
github.com/creack/goselect v0.1.2 h1:2DNy14+JPjRBgPzAd1thbQp4BSIihxcBf0IXhQXDRa0=
github.com/creack/goselect v0.1.2/go.mod h1:a/NhLweNvqIYMuxcMOuWY516Cimucms3DglDzQP3hKY=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/gen2brain/beeep v0.0.0-20230907135156-1a38885a97fc h1:NNgdMgPX3j33uEAoVVxNxillDPnxT0xbGv8uh4CKIAo=
github.com/gen2brain/beeep v0.0.0-20230907135156-1a38885a97fc/go.mod h1:0W7dI87PvXJ1Sjs0QPvWXKcQmNERY77e8l7GFhZB/s4=
github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 h1:NRUJuo3v3WGC/g5YiyF790gut6oQr5f3FBI88Wv0dx4=
@@ -32,6 +35,8 @@
github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4/go.mod h1:kW3HQ4UdaAyrUCSSDR4xUzBKW6O2iA4uHhk7AtyYp10=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
@@ -43,12 +48,13 @@
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af h1:6yITBqGTE2lEeTPG04SN9W+iWHCRyHqlVYILiSXziwk=
github.com/tadvi/systray v0.0.0-20190226123456-11a2b8fa57af/go.mod h1:4F09kP5F+am0jAwlQLddpoMDM+iewkxxt6nxUQ5nq5o=
github.com/tawesoft/golib/v2 v2.9.0 h1:R84RNHs+A8UYuRVlLKVpb3Xzp1bvyP2qgAAZQ/ZRXfA=
github.com/tawesoft/golib/v2 v2.9.0/go.mod h1:jGw0nDuOLpji2TW5QfSQLcWnZ4WtS4TizzRuXu3hZ/Y=
-github.com/tillitis/tkeyclient v1.0.0 h1:Ox9mEwxon9SRUconYZXrcqrm0YxpMCblMZLPXzPtKro=
-github.com/tillitis/tkeyclient v1.0.0/go.mod h1:dg2fyhB6szX7n1QIf19WcWtl/ueBPQYVlTCjY/kG5pM=
+github.com/tillitis/tkeyclient v1.3.0 h1:fUlghD+xvtL+qoajgrsetCC7KPwSfpjDDgqxMOBA2VU=
+github.com/tillitis/tkeyclient v1.3.0/go.mod h1:7VtzyEjm08Wf+1zdrs20HsvM+WzhyztinvGG2/HY+Is=
github.com/tillitis/tkeysign v1.0.0 h1:qB4UZQzIRsEsQg1hLZE1bhQmk37O4c2qTStn5CAuhlg=
github.com/tillitis/tkeysign v1.0.0/go.mod h1:7byJbKOEwCjCcUT9lw8WARl+0xO1fFrq+QMJc4MYiqA=
github.com/tillitis/tkeyutil v0.0.7 h1:+QE4hvthUextFDiLt8Ssxffyn0FPNwDcloahS0sPSQU=
@@ -57,22 +63,24 @@
github.com/twpayne/go-pinentry-minimal v0.0.0-20220113210447-2a5dc4396c2a/go.mod h1:ARJJXqNuaxVS84jX6ST52hQh0TtuQZWABhTe95a6BI4=
go.bug.st/serial v1.6.2 h1:kn9LRX3sdm+WxWKufMlIRndwGfPWsH1/9lCWXQCasq8=
go.bug.st/serial v1.6.2/go.mod h1:UABfsluHAiaNI+La2iESysd9Vetq7VRdpxvjx7CmmOE=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
golang.org/x/exp v0.0.0-20221208152030-732eee02a75a h1:4iLhBPcpqFmylhnkbY3W0ONLUYYkDAW9xMFLfxgsvCw=
golang.org/x/exp v0.0.0-20221208152030-732eee02a75a/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
-golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
+golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff -Nru tkey-ssh-agent-1.0.0+ds/Makefile tkey-ssh-agent-1.1.0+ds/Makefile
--- tkey-ssh-agent-1.0.0+ds/Makefile 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/Makefile 2026-03-16 14:10:28.000000000 +0100
@@ -45,7 +45,7 @@
.PHONY: podman
podman:
- podman run --rm --mount type=bind,source=$(CURDIR),target=/src -w /src -it ghcr.io/tillitis/tkey-builder:4 make -j
+ podman run --rm --mount type=bind,source=$(CURDIR),target=/src -w /src -it ghcr.io/tillitis/tkey-builder:5rc2 make -j
.PHONY: check-signer-hash
check-signer-hash:
@@ -68,7 +68,7 @@
tkey-ssh-agent-tray.exe:
$(MAKE) -C gotools go-winres
cd ./cmd/tkey-ssh-agent-tray && ../../gotools/go-winres make --arch amd64
- GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-H windowsgui" -trimpath -buildvcs=false ./cmd/tkey-ssh-agent-tray
+ GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags "-H windowsgui -X main.version=$(TKEY_SSH_AGENT_VERSION)" -trimpath -buildvcs=false ./cmd/tkey-ssh-agent-tray
.PHONY: clean
clean:
diff -Nru tkey-ssh-agent-1.0.0+ds/README.md tkey-ssh-agent-1.1.0+ds/README.md
--- tkey-ssh-agent-1.0.0+ds/README.md 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/README.md 2026-03-16 14:10:28.000000000 +0100
@@ -114,14 +114,14 @@
run:
```
-$ podman pull ghcr.io/tillitis/tkey-builder:4
+$ podman pull ghcr.io/tillitis/tkey-builder:5rc2
$ make podman
```
or run it directly with Podman:
```
-$ podman run --rm --mount type=bind,source=$(CURDIR),target=/src --mount type=bind,source=$(CURDIR)/../tkey-libs,target=/tkey-libs -w /src -it ghcr.io/tillitis/tkey-builder:4 make -j
+$ podman run --rm --mount type=bind,source=$(CURDIR),target=/src --mount type=bind,source=$(CURDIR)/../tkey-libs,target=/tkey-libs -w /src -it ghcr.io/tillitis/tkey-builder:5rc2 make -j
```
Note that building with Podman like this by default creates a Linux
diff -Nru tkey-ssh-agent-1.0.0+ds/system/tkey-ssh-agent.1 tkey-ssh-agent-1.1.0+ds/system/tkey-ssh-agent.1
--- tkey-ssh-agent-1.0.0+ds/system/tkey-ssh-agent.1 2024-11-15 11:05:42.000000000 +0100
+++ tkey-ssh-agent-1.1.0+ds/system/tkey-ssh-agent.1 2026-03-16 14:10:28.000000000 +0100
@@ -10,6 +10,7 @@
.Nm
.Op Fl L | -list-ports
.Op Fl a | -agent-path Ar path
+.Op Fl -force-full-uss
.Op Fl -help
.Op Fl p | -show-pubkey
.Op Fl -pinentry Ar command
@@ -67,6 +68,9 @@
Supplied Secret to be mixed into the TKey identity. Use '-' (dash) to
read from stdin. The full contents are hashed unmodified (i.e.
newlines are not stripped).
+.It Fl -force-full-uss
+Force the use of a full 32 byte USS digest. For backwards compatibility
+the default is 31 bytes.
.It Fl -version
Output version information.
.El
signature.asc
Description: PGP signature
