Release Notes

  • Version 3.1.0 (released 2019-08-20)

    • Add support for YubiKey 5Ci

    • OpenPGP: the info command now prints OpenPGP specification version as well

    • OpenPGP: Update support for attestation to match OpenPGP v3.4

    • PIV: Use UTC time for self-signed certificates

    • OTP: Static password now supports the Norman keyboard layout

  • Version 3.0.0 (released 2019-06-24)

    • Add support for new YubiKey Preview and lightning form factor

    • FIDO: Support for credential management

    • OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies

    • OTP: Add flag for using numeric keypad when sending digits

  • Version 2.1.1 (released 2019-05-28)

    • OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud

    • Don’t automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS

    • ChalResp: Always pad challenge correctly

    • Bugfix: Don’t crash with older versions of cryptography

    • Bugfix: Password was always prompted in OATH command, even if sent as argument

  • Version 2.1.0 (released 2019-03-11)

    • Add --reader flag to ykman list, to list available smart card readers

    • FIPS: Checking if a YubiKey FIPS is in FIPS mode is now opt-in, with the --check-fips flag

    • PIV: Add commands for writing and reading arbitrary PIV objects

    • PIV: Verify that the PIN must be between 6 - 8 characters long

    • PIV: In import-certificate, make the verification that the certificate and private key matches opt-in, with the --verify flag

    • PIV: The piv info command now shows the serial number of the certificates

    • PIV: The piv info command now shows the full Distinguished Name (DN) of the certificate subject and issuer, if possible

    • PIV: Malformed certificates are now handled better

    • OpenPGP: The openpgp touch command now shows current touch policies

    • The ykman usb/nfc config command now accepts openpgp as well as opgp as an argument

    • Bugfix: Fix support for german (DE) keyboard layout for static passwords

  • Version 2.0.0 (released 2019-01-09)

    • Add support for Security Key NFC

    • Add experimental support for external smart card reader. See --reader flag

    • Add a minimal manpage

    • Add examples in help texts

    • PIV: update CHUID when importing a certificate

    • PIV: Optionally validate that private key and certificate match when importing a certificate (on by default in CLI)

    • PIV: Improve support for importing certificate chains and .PEM files with comments

    • Breaking API changes:

      • Merge CCID status word constants into a single SW enum in ykman.driver_ccid

      • Throw custom exception types instead of raw APDUErrors from many methods of PivController

      • Write CLI prompts to standard error instead of standard output

      • Replace function ykman.util.parse_certificate with parse_certificates which returns a list

  • Version 1.0.1 (released 2018-10-10)

    • Support for YubiKey 5A

    • OATH: Ignore extra parameters in URI parsing

    • Bugfix: Never say that NFC is supported for YubiKeys without NFC

  • Version 1.0.0 (released 2018-09-24)

    • Add support for YubiKey 5 Series

    • Config: Add flag to generate a random configuration lock

    • OATH: Give a proper error message when a touch credential times out

    • NDEF: Allow setting the NDEF prefix from the CLI

    • FIDO: Block reset when multiple YubiKeys are connected

  • Version 0.7.1 (released 2018-07-09)

    • Support for YubiKey FIPS.

    • OTP: Allow setting and removing access codes on the slots.

    • Interfaces: set-lock-code now only accepts hexadecimal inputs.

    • Bugfix: Don’t fail to open the YubiKey when the serial is not visible.

  • Version 0.7.0 (released 2018-05-07)

    • Support for YubiKey Preview.

    • Add command to configure enabled applications over USB and NFC. See ykman config -h.

    • Add command for selecting which slot to use for NDEF. See ykman otp ndef -h.

  • Version 0.6.1 (released 2018-04-16)

    • Support for YubiKeys with FIDO2. See ykman fido -h

    • Report the form factor for YubiKeys that support it.

    • OTP: slot command is now called otp. See ykman otp -h for all changes.

    • Static password: Add support for different keyboard layouts. See ykman otp static -h

    • PIV: Signatures for CSRs are now correct.

    • PIV: Commands on slots with PIN policy ALWAYS no longer fail if the YubiKey has a management key protected by PIN.

    • Mode: The U2F mode is now called FIDO.

    • Dependencies: libu2f-host is no longer used for FIDO communication over USB, instead the python library fido2 is used.

  • Version 0.6.0 (released 2018-02-09)

    • OpenPGP: Expose remaining PIN retries in info command and API.

    • CCID: Only try YubiKey smart card readers by default.

    • Handle NEO issues with challenge-response credentials better.

    • Improve logging.

    • Improve error handling when opening device over OTP.

    • Bugfix: Fix adding OTP data through the interactive prompt.

  • Version 0.5.0 (released 2017-12-15)

    • API breaking changes:

      • OATH: New API more similar to yubioath-android

    • CLI breaking changes:

      • OATH: Touch prompt now written to stderr instead of stdout

      • OATH: -a|--algorithm option to list command removed

      • OATH: Columns in code command are now dynamically spaced depending on contents

      • OATH: delete command now requires confirmation or -f|--force argument

      • OATH: IDs printed by list command now include TOTP period if not 30

      • Changed outputs:

        • INFO: "Device name" output changed to "Device type"

        • PIV: "Management key is stored on device" output changed to "Management key is stored on the YubiKey"

        • PIV: "All PIV data have been cleared from the device" output changed to "All PIV data have been cleared from your YubiKey"

        • PIV: "The current management key is stored on the device" prompt changed to "The current management key is stored on the YubiKey"

        • SLOT: "blank to use device serial" prompt changed to "blank to use YubiKey serial number"

        • SLOT: "Using device serial" output changed to "Using YubiKey device serial"

        • Lots of failure case outputs changed

    • New features:

      • Support for multiple devices via new top-level option -d|--device

      • New top-level option -l|--log-level to enable logging

      • OATH: Support for remembering passwords locally.

      • OATH: New option -s|--single for code command

      • PIV: set-pin-retries command now warns that PIN and PUK will be reset to factory defaults, and prints those defaults after resetting

    • API bug fixes:

      • OATH: valid_from and valid_to for Code are now absolute instead of relative to the credential period

      • OATH: period for non-TOTP Code is now None

  • Version 0.4.6 (released 2017-10-17)

    • Will now attempt to open device 3 times before failing

    • OpenPGP: Don’t say data is removed when not

    • OpenPGP: Don’t swallow APDU errors

    • PIV: Block on-chip RSA key generation for firmware versions 4.2.0 to 4.3.4 (inclusive) since these chips are vulnerable to CVE-2017-15631.

  • Version 0.4.5 (released 2017-09-14)

    • OATH: Don’t print issuer if there is no issuer.

  • Version 0.4.4 (released 2017-09-06)

    • OATH: Fix yet another issue with backwards compatibility, for adding new credentials.

  • Version 0.4.3 (released 2017-09-06)

    • OATH: Fix issue with backwards compatibility, when used as a library.

  • Version 0.4.2 (released 2017-09-05)

    • OATH: Support 7 digit credentials.

    • OATH: Support credentials with a period other than 30 seconds.

    • OATH: The remove command is now called delete.

  • Version 0.4.1 (released 2017-08-10)

    • PIV: Dropped support for deriving a management key from PIN.

    • PIV: Added support for generating a random management key and storing it on the device protected by the PIN.

    • OpenPGP: The reset command now handles a device in terminated state.

    • OATH: Credential filtering is now working properly on Python 2.

  • Version 0.4.0 (released 2017-06-19)

    • Added PIV support. The tool and library now supports most of the PIV functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman piv -h.

    • Mode command now supports adding and removing modes incrementally.

  • Version 0.3.3 (released 2017-05-08)

    • Bugfix: Fix issue with OATH credentials from Steam on YubiKey 4.

  • Version 0.3.2 (released 2017-04-24)

    • Allow access code input through an interactive prompt.

    • Bugfix: Some versions of YubiKey NEO occasionally failed calculating challenge-response credentials with touch.

  • Version 0.3.1 (released 2017-03-13)

    • Allow programming of TOTP credentials in YubiKey Slots using the chalresp command.

    • Add a calculate command (and library support) to perform a challenge-response operation. Can also be used to generate TOTP codes for credentials stored in a slot.

    • OATH: Remove whitespace in secret keys provided by the user.

    • OATH: Prompt the user to touch the YubiKey for HOTP touch credentials.

    • Bugfix: The flag for showing hidden credentials was not working correctly for the oath code command.

  • Version 0.3.0 (released 2017-01-23)

    • OATH functionality added. The tool now exposes the OATH functionality found on the YubiKey 4 and NEO. To list the available commands, run ykman oath -h.

    • Added support for randomly generated static passwords.

  • Version 0.2.0 (released 2016-11-23)

    • Removed all GUI code. This project is now only for the python library and CLI tool. The GUI will be re-released separately in a different project.

    • Added command to update settings for YubiKey Slots.

  • Version 0.1.0 (released 2016-07-07)

    • Initial release for beta testing.