Stuck at "Insert your security key and touch it"

[lachesis]

I'm trying the demo at https://passkeys.io. I am on Arch Linux. The same issue appears in both Chromium and Firefox. I'm not using snap, flatpak, or anything else like that.

When using Chrome, I see the following in logs:

2023/05/08 14:54:32 unsuppoted cmd: CmdCbor 16
2023/05/08 14:54:32 got RegisterCmd site=<unknown 4141414141414141414141414141414141414141414141414141414141414141>
2023/05/08 14:56:32 unsuppoted cmd: CmdCbor 16
2023/05/08 14:56:32 got RegisterCmd site=<unknown 4141414141414141414141414141414141414141414141414141414141414141>

When using Firefox, I see this, repeated about 10 times a second:

2023/05/08 14:54:25 got RegisterCmd site=<unknown 0000000000000000000000000000000000000000000000000000000000000000>

The dialog in Chrome just says "Insert your security key and touch it". I don't know how to "touch" this internal TPM. :P

Am I doing something particularly silly here?

[psanford]

There's two issues here:

1) tpm-fido uses an external program pinentry to prompt you to confirm user presence. When I go through the registration process on that site i get a pinentry dialog popup that says FIDO Confirm Register yes/no. If you are not seeing that then either you don't have a gui pinentry installed or you are running tpm-fido in a context where it doesn't have access to your x11/wayland session (like via sudo).

2) Once you see that dialog and try to register, that specific site will reject tpm-fido as an unsupported key. That's because tpm-fido currently only implements FIDO1 and that site requires FIDO2 (specifically resident keys). I'd like to support FIDO2 but its fairly low priority work for me right now.

If you want to test tpm-fido against a site that will work you can use https://webauthn.io/

[lachesis]

Ahh you are correct, I was running with sudo, though I was sudo'ing as my own user. I was being lazy to avoid the logout to update my groups. If I run with sudo -E instead, it works as expected.

As for FIDO2 vs FIDO1, which one does Google's Passkey implementation use? It seems like that will be the major driver for using this module and other similar ones.

[psanford]

Passkeys are built on top of FIDO2.

[imsys]

I got the same problem, so I debugged a bit, just note that I have little experience with golang.

https://github.com/psanford/tpm-fido/blob/5f8828b82b58f9badeed65718fca72bc31358c5c/pinentry/pinentry.go#L113C3-L113C3

go func() {
    err := p.Confirm()
    promptResult <- err == nil
}()

There is the line FindPinentryGUIPath() that gives preference for pinentry-gnome3, the way I fixed it was by changing to just pinentry, others like pinentry-qt also works.

I'm using Manjaro and kde-plasma.

So, the results of the debug:

cmd: /usr/bin/pinentry-gnome3

nothing shows up

p.Confirm() -> err: pinentry: inappropriate ioctl for device 
-> promptResult: false

cmd: /usr/bin/pinentry or pinentry-qt

window shows up

if I click on Cancel, I get: (no problem, but just to help debug)

p.Confirm() -> err: malformed ERR arguments
-> promptResult: false

if I click on Ok

p.Confirm() -> err: %!s(<nil>)
p.Confirm() -> promptResult: true

$ ls /usr/bin/pinentry* /usr/bin/pinentry /usr/bin/pinentry-curses /usr/bin/pinentry-emacs /usr/bin/pinentry-gnome3 /usr/bin/pinentry-gtk-2 /usr/bin/pinentry-qt /usr/bin/pinentry-tty

I also tested running echo "CONFIRM" | pinentry-gnome3 manually, this test shows a popup, but when running from golang, it doesn't work.

I also tested the others. Interesting pinentry-gtk-2 worked for me. pinentry-curses gave the same inappropriate ioctl err, and pinentry-tty just gives a pinentry: not confirmed.

And yes, I was testing using sudo ./tpm-fido, I also tried using -E but that didn't make a difference.

[pavinjosdev]

@psanford Any plans to add FIDO2 support soon?