After upgrade to 5.0.0 Yubikey-Authenticator 5.1.0 no longer working

[gbcox]

• YubiKey Manager (ykman) version: 5.0.0
• How was it installed?: rpm
• Operating system and version: Fedora 37
• YubiKey model and version: yubikey 5 nano
• Bug description summary: Upgraded on F37 to ykman 5.0.0... which seems to be working fine so far with my nano, but now yubikey-authenticator isn't reading the key.

[dainnilsson]

Yubico Authenticator should be bundling its own version of ykman, not using a system installation of it. I take it the Fedora package is different? We don't really intend to make Yubico Authenticator 5 compatible with ykman 5, as our efforts are on getting Yubico Authenticator 6 done.

[gbcox]

Bundling is against packaging guidelines. No problem, I will cancel the upgrade and resubmit when you are able to release the Authenticator upgrade.

On Thu, Oct 20, 2022, 15:41 Dain Nilsson @.***> wrote:

Yubico Authenticator should be bundling its own version of ykman, not using a system installation of it. I take it the Fedora package is different? We don't really intend to make Yubico Authenticator 5 compatible with ykman 5, as our efforts are on getting Yubico Authenticator 6 done.

— Reply to this email directly, view it on GitHub https://github.com/Yubico/yubikey-manager/issues/523#issuecomment-1285985218, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCVEK4JSJ4YX53HRKMZA5LWEGG7DANCNFSM6AAAAAARKNLPB4 . You are receiving this because you authored the thread.Message ID: @.***>

[dainnilsson]

Alright, I will leave this issue open until we ship the new app, as a reminder to ping you about it! Should be out before the end of the year.

[gbcox]

Thanks! Much appreciated!

[amake]

FYI this affects MacPorts as well.

(I am the maintainer of the yubikey-manager and yubico-authenticator ports, so I will simply keep tabs on this thread.)

[molecular]

Oh that's tremendous, so I can access my sites again before the end of the year ;-)))

Seriously, my yubikey oath just broke on archlinux update. See https://bugs.archlinux.org/task/76325

What's the interim solution? Downgrade ykman to 4???

[dainnilsson]

This is a problem with the Arch Linux package, which is not maintained or supported by Yubico. Until they resolve the issue I suggest you use the AppImage provided at https://developers.yubico.com/yubioath-desktop/Releases/. Downgrading to ykman 4 would also be a viable option.

All packages of Yubico Authenticator provided by Yubico have a compatible version of ykman included, and our recommendation is for third party packages to do the same. If this is against packaging guidelines they should at least be limiting dependencies within compatible versions according to Semantic Versioning.

[molecular]

Thanks @dainnilsson, yes you're right. It's arch problem. I downgraded ykman to 4 and that works. Sorry for the negativity and slight "accusation" (unfounded). I was getting nervous because I couldn't access my stuff. I have written down most keys or duplicated on phone, but not all.

[dainnilsson]

No worries, your frustration is understandable! Glad you were able to downgrade without issue. We'll make sure to call this our more explicitly in both projects README's to hopefully avoid the same thing happening again in the future when ykman 6 is released.

[Foxboron]

Is the dependency in yubioath-desktop even correct? Currently it pins to one yubikey-manager minor release and this isn't kept in-sync with the upstream releases. Should this be relaxed?

https://github.com/Yubico/yubioath-desktop/blob/main/requirements.txt#L1

Not that this is well tested (nor correct), but it seems like this patch restores some functionality to the desktop app with the 5.x iteration of yubikey-manager: https://paste.xinu.at/M2dOf5QaB3442UMLfOp/

[dainnilsson]

Since the packages Yubico maintains bundle its dependencies we use exact pinned versions, which are the ones you'll see in the requirements.txt, it's pointing to the latest version at the time of release, typically. However, the projects follow semver, so it should be perfectly safe to depend on anything >= the pinned version, but < the next major version.

[dainnilsson]

Yubico Authenticator 6.0.0 (note the repository name change!) is now released, supporting (and requiring) ykman 5.0.0.