Closed robin-nitrokey closed 1 year ago
I think for spsdk the test would be just running Nitrokey 3 update. Cryptography is used only for the FIDO2 provisioning, so it is not user faced, right?
Yes, for spsdk
it’s the NK3xN firmware update. For cryptography
, it’s more complicated. While we use it only for the provisioning command, it is also used by our dependencies, e. g. fido2
and spsdk
.
Rebased, but fails on mypy check:
venv/bin/python3 -m mypy pynitrokey/
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_log_handler" [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:16: error: Module "spsdk" has no attribute "spsdk_logger" [attr-defined]
pynitrokey/nk3/bootloader/lpc55.py:110: error: Argument "progress_callback" to "receive_sb_file" of "McuBoot" has incompatible type "Optional[Callable[[int, int], None]]"; expected "Callable[[int, int], None]" [arg-type]
Found 3 errors in 1 file (checked 288 source files)
Needs update
I can't test the FIDO CLI commands, since these are not fixed yet (!), missing the API update of the fido2
package.
I will test NK3 update on the dev sample.
Rebased again and updated to spsdk v1.10.1 to avoid the logging issue. Did you update the venv before running mypy? The errors you listed are caused by an incompatible spsdk version.
lgtm, did some tests:
remaining tests with nk3am:
fido2 change-pin
:heavy_check_mark:fido2 make-credential
:heavy_check_mark:fido2 challenge-response
:heavy_check_mark:fido2 rng hexbytes
:heavy_check_mark:fido2 verify
:heavy_check_mark:fido2 challenge-response
:heavy_check_mark:fido2 list-credentials
:heavy_check_mark:
This patch bumps cryptography to 39.0.1 which fixes two vulnerabilities: https://github.com/Nitrokey/pynitrokey/security/dependabot/1 https://github.com/Nitrokey/pynitrokey/security/dependabot/2
This also requires bumping spsdk to 1.9.0, which allows us to drop some workarounds for fixed issues. Note that 1.9.0 adds a default log handler for the spsdk module which we have to remove manually so that stdout is not cluttered with log messages.
Checklist
Make sure to run
make check
andmake fix
before creating a PR, otherwise the CI will fail.Test Environment and Execution