Adding this would be nice, sry for being a pain:
diff --git i/tkey-ssh-agent.install w/tkey-ssh-agent.install
index e3744ce..1c581bf 100644
--- i/tkey-ssh-agent.install
+++ w/tkey-ssh-agent.install
@@ -4,6 +4,6 @@ post_install() {
}
post_upgrade() {
- echo -e "\033[1;33mThis release may change the TKey identity (CDI) compared to $2, i.e., you may not have the same Ed25519 keypair derived."
+ echo -e "\033[1;33mThis release may change the TKey identity (CDI) compared to $2, i.e., you may not have the same Ed25519 keypair derived. For more details see: https://github.com/tillitis/tkeyclient/security/advisories/GHSA-4w7r-3222-8h6v"
}
@dr00tb in any case, what happened here is not a update of the signer.bin -- it is the tkeyclient go code that has changed. Read the link i posted
@quite I haven't figured out a way to only present the message when signer.bin is updated, so I thought it was better to present it every time than not at all. Perhaps I'll change the wording to include "might".
@dr00tb thank you for adding that upgrade notice message. Though it is not correct that the private keys will change for all users. It depends on if user's USS is "vulnerable", which statistically is 0.39% (1/256). Perhaps you could refer to https://www.tillitis.se/blog/2026/03/17/tkeyclient-advisory/ -- this quote is relevant "NOTE: If you are affected by the vulnerability your keys will change once you upgrade the app. To get the same keys as before, for instance to register new keys, don’t enter any USS when prompted."
@quite For the first couple of months the tkey-ssh-agent version was not being incremented. I have updated the package, hope it is to your liking.
I find it slightly odd that you chose to use the version of tkey-device-signer as the version of this tkey-ssh-agent package. Hm.
