v0.11.2

• piv: better error messages on invalid PIN cowardice (#41)
• piv: handle "no readers" errors better, stops agent from getting lost
• pivy-agent: slot spec parser error message improvements
• pivy-agent: support for using notify-send as SSH_CONFIRM
• update bundled libressl to 3.8.2, openssh to 9.5p1 (fixes build issues with new versions of zlib)
• illumos: fix race applying socket_owner/socket_mode SMF properties in pivy-agent service

v0.11.1

Bugs fixed:

• pivy-ca/box/luks/zfs: possible use-after-free leading to segfault in recovery mode
• pivy-box/luks/zfs: reading in PINs on Linux initrd console (without a /dev/tty) was broken
• pivy-ca: OpenBSD getopt issues in "pivy-ca shell"
• pivy-agent: wake-up deadline calculation was busted, leading to high CPU usage

v0.11.0

New features:

• Update to OpenSSH 9.2, LibreSSL 3.7.0
• pivy-agent: new -u/-z option to whitelist other UIDs/ZIDs for access
• pivy-agent: x509-certs extension support
• pivy-agent: sign-prehash extension support
• pivy-agent: support for exename checking on OpenBSD

Bugs fixed:

• pivy-ca: fixes for provisioning new CAs
• all tools: switch to getpassphrase() and handle ctrl+C properly
• pivy-tool: "setup" command is now much safer
• pivy-agent: fix denied connections (due to wrong UID) closing listen sock
• pivy-box: fix garbage slot IDs when parsing keywords form of template
• pivy-tool: remove invalid algo from help text
• piv: parse deprecated "Auth Key Map" element in CHUID
• illumos: SMF method improvements

v0.10.0

New features:

• Added the pivy-ca tool, which manages a basic X.509 CA on a PIV device
• pivy-agent now supports the OpenSSH sessbind extension for detecting forwarded agent connections
• pivy-tool accepts and produces PEM as well as DER for certificate-related commands
• Added pivy-tool list -j to produce JSON output
• pivy-box can import configs from another template in edit -i mode
• illumos binaries are now built against the system libpcsc and have CTF information

Bugs fixed:

• Build issue on some new versions of libbsd (e.g. on ArchLinux)
• pivy-tool fix for MS SID extension in user-auth certs being generated incorrectly
• pivy-agent and pivy-tool no longer reset the card after every transaction if they can clear PIN state instead
• PIV spec: handle 6A88 status words properly on PIN commands
• pivy-tool: fix generate on non-contiguous retired key slots

v0.9.0

New features:

• Support for building with LibreSSL 3.5.2 / OpenSSL 3.x
• pivy-tool can parse and display the PIV Printed Info object, as well as new info from the CHUID file (FASC-N etc)
• pivy-tool req-cert and pivy-tool write-cert commands
• Finer control over the certificates generated by pivy-tool using -D and -T, and support for KRB5 PKINIT SANs

Bugs fixed:

• pivy-agent is now strict about device disconnection time before it drops a cached PIN
• pivy-zfs rekey is now panic-safe
• Incorrectly generated length tags (used longer encoding than necessary) in some PIV objects are now correct
• pivy-box now strips off --Begin-- and --End-- noise on challenges when pasted on stdin

Also note that the -src tarball on the Releases page now contains LibreSSL and OpenSSH already downloaded and extracted, so you can do self-contained builds from it.

v0.8.0

New features:

• 4-digit PINs (on supported cards)
• AES algorithms for admin key (works with PivApplet, maybe others)
• pivy-agent: SSH_NOTIFY_SEND can now be set to receive desktop notifications when touch input may be required
• pivy-zfs: can now use pivy-zfs rekey <fs> without a template to generate a new key with the same configs as the current ebox
• pivy-zfs: now falls back to looking at the com.joyent.kbm:ebox property if rfd77:ebox is not available

Bugfixes:

• Support for some Gemalto cards which send a nested tag in APT/RTS
• Allow multiple 'AC' tags in RTS (fixes "algorithms" output on latest PivApplet)

v0.7.0

New features:

• pivy-box: "key unlock" and "stream decrypt" can now accept a filename argument instead of reading stdin (and will include that filename in any generated recovery challenge-responses)
• pivy-box: can now find templates at multiple paths, including in a system directory. On Linux, the default dir for new templates is now $HOME/.config/pivy/tpl and on OSX $HOME/Library/Preferences/pivy/tpl (the old directories will still be checked for templates)
• pivy-agent: in -C mode, PID authorizations are now cached for 15 seconds (makes Manta tools especially nicer to use)
• pivy-tool: add "update-keyhist" command, which scans all retired key slots and re-generates the PIV Key History object, to fix un-detected keys in retired key slots

Bug fixes:

• All tools: now support using metadata/attestation information to detect when touch confirmation is required for a key and emit prompts to match. PIN prompting should now occur before touch.
• Fix for some issues around using multiple local devices in order (e.g. in the same card reader) with pivy-box recovery

v0.6.1

• Bug fixes
  • pivy-agent: fix for parsing errors in pivy-agent -S arguments (sensitivity to argument ordering etc)
  • pivy-box: performance improvements with large numbers of configs (and large numbers of tokens on system)
  • pivy-agent: re-establish new PCSC context on some errors automatically: fixes hangs and errors on MacOS Catalina and enables pivy-agent to continue running after a restart of pcscd on Linux.

v0.6.0

• New features
  • pivy-agent: support for SSH_ASKPASS
  • pivy-agent: support for connection confirm mode and SSH_CONFIRM
  • pivy-box/pivy-tool now fall back to searching all available slots/tokens for an unknown key, including for a box without a guid/slot set
  • pivy-box tpl list command
• Bugfixes
  • Fix for getpeerucred crash on illumos
  • No longer try to use -m64 everywhere (fixes build on 32-bit platforms like armv7)

v0.5.1

• Bug fixes
  • Using imported keys in retired key slots provoked a crash due to strdup(NULL)
  • Malformed empty TLV tags can be generated in the key history object
  • pivy-tool set-admin should use the key in the printed info object if needed