fido2 implementation breaks on Debian-based sys-usb

[ctr49]

It seems #31 requires python3-fido2 >= 1.0.0 (only then AttestationResponse was introduced for tap).

However, Debian ships with lower versions (Bullseye with 0.8.1, Bookworm with 0.9.1) so this will not work on a Debian-based sys-usb.

Originally posted by @ctr49 in https://github.com/QubesOS/qubes-app-u2f/issues/31#issuecomment-1704352667

[andrewdavidwong]

Does this affect 4.1 or 4.2 (or both)?

[andrewdavidwong]

Ah, looks like both.

[marmarek]

On Debian 12 (stable, bookworm), we've added newer python-fido2 to our repository. On older Debian it isn't that easy, so it's going to stay on older qubes-u2f package. On R4.1, qubes-ctap never went out of testing repository, so users with Debian 11 and just stable repositories are unaffected.

But those with Debian 11 having either testing repositories enabled, or having R4.2 already (where qubes-ctap landed in stable repo) will need to downgrade qubes-u2f package on debian-11 manually. I haven't tested it, but something like this should work:

apt-get update
apt-get remove qubes-ctap
apt-get --allow-downgrades install "qubes-u2f=1.*"

[zpc0]

Since R4.2 only support Debian 12 and this issue is fixed in Debian 12, I think "affect-4.2" can be removed.