1
0
Fork
You've already forked linux-ctap
0
Linux implementation of CTAP (aka FIDO2 aka u2f aka webauthn aka passkeys) as a virtual device.
  • Go 94.8%
  • Shell 5.2%
Matej Smycka 0eb01f0ee9
chore: go mod tidy
Two checksum lines for github.com/google/go-tpm-tools were missing
from go.sum (indirect dep pulled in by github.com/google/go-tpm).
Re-run go mod tidy to add them so goreleaser's pre-build hook
doesn't dirty the working tree at release time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026年04月10日 20:11:30 +02:00
.github Add Dependabot configuration file 2025年10月15日 12:28:24 +02:00
attestation ini 2024年05月24日 12:59:49 +02:00
ctap2 feat: correctly handle invalid fingerprint 2026年04月10日 19:59:11 +02:00
fidoauth docs: Update README with CTAP2, fprintd, passkeys, and known issues 2026年03月20日 18:16:56 +01:00
fidohid docs: Update README with CTAP2, fprintd, passkeys, and known issues 2026年03月20日 18:16:56 +01:00
fprintd feat(fprintd): retry up to 3 times on no-match with phantom-signal drain 2026年04月10日 20:00:00 +02:00
internal/lencode ini 2024年05月24日 12:59:49 +02:00
memory fix(memory): derive ECDSA pubkey X/Y from D for Go ≥1.20 SignASN1 2026年04月10日 19:58:48 +02:00
pinentry feat: Add CTAP2, fprintd auth, and migrate to go-tpm non-legacy API 2026年03月20日 17:32:02 +01:00
sitesignatures Feat:Enhance logging 2025年06月11日 17:24:43 +02:00
statuscode docs: Update README with CTAP2, fprintd, passkeys, and known issues 2026年03月20日 18:16:56 +01:00
tpm feat: Add CTAP2, fprintd auth, and migrate to go-tpm non-legacy API 2026年03月20日 17:32:02 +01:00
.gitignore gorelease 2024年05月24日 14:33:12 +02:00
.goreleaser.yaml goreleaser update 2024年12月10日 18:06:53 +01:00
go.mod chore: Upgrade dependencies and add cbor, dbus, go-tpm non-legacy 2026年03月20日 17:32:05 +01:00
go.sum chore: go mod tidy 2026年04月10日 20:11:30 +02:00
install.sh build(install.sh): align with AUR layout (systemd user unit + uaccess) 2026年04月10日 20:02:49 +02:00
LICENSE Update project name and fix key generation 2024年05月24日 13:15:33 +02:00
main.go feat(verifier): cache successful UV for 5s in a wrapper around any backend 2026年04月10日 20:01:41 +02:00
main_test.go feat(verifier): cache successful UV for 5s in a wrapper around any backend 2026年04月10日 20:01:41 +02:00
README.md docs(README): document install workflow + --auth fprintd flag 2026年04月10日 20:03:05 +02:00

Linux-id

Linux-id is FIDO token implementation for Linux that protects the token keys by using your system's TPM. linux-id uses Linux's uhid facility to emulate a USB HID device so that it is properly detected by browsers.

Setup

curl -O https://raw.githubusercontent.com/matejsmycka/linux-id/refs/heads/main/install.sh
chmod +x install.sh
# Read what the script does before running it
./install.sh

To use fingerprint authentication, install with --auth fprintd.

./install.sh --auth fprintd

Non-official

AUR

If you're using an Arch-based system, you can install linux-id from the AUR.

yay -Syy linux-id

https://aur.archlinux.org/packages/linux-id

Test

You can test the installation by visiting https://demo.yubico.com/webauthn-technical/registration and follow fido token enroll and authentication steps.

TPM-FIDO

This project is a fork of Psanford's tpm-fido project. However, after a discussion with the author, I have decided to create a new repository to better reflect the changes I have made.

Differences

  • This project aims to be more accessible to average users.
  • I have updated old methods according to the latest Go standards.
  • Old dependencies (e.g. pinetry) were replaced with updated ones.
  • UX improvements.
  • CTAP2 (biometric) support.

CTAP2 / Passkeys

linux-id supports CTAP2 in addition to CTAP1/U2F, enabling passkey registration and authentication.

Use --auth fprintd for fingerprint authentication (sets UV flag, required by some sites); the default pinentry mode shows a click dialog but does not set UV.

To use fingerprint authentication, run:

./linux-id --auth fprintd

fprintd must be installed and your fingerprint enrolled via fprintd-enroll.

Resident credentials

When a site requests rk=true (resident key), linux-id stores the credential locally at ~/.config/linux-id/creds.json.

Future work

  • Add to linux distro package managers

Implementation details

linux-id uses the TPM 2.0 API. The overall design is as follows:

On registration linux-id generates a new P256 primary key under the Owner hierarchy on the TPM. To ensure that the key is unique per site and registration, linux-id generates a random 20 byte seed for each registration. The primary key template is populated with unique values from a sha256 hkdf of the 20 byte random seed and the application parameter provided by the browser.

A signing child key is then generated from that primary key. The key handle returned to the caller is a concatenation of the child key's public and private key handles and the 20 byte seed.

On an authentication request, linux-id will attempt to load the primary key by initializing the hkdf in the same manner as above. It will then attempt to load the child key from the provided key handle. Any incorrect values or values created by a different TPM will fail to load.

Dependencies

linux-id requires pinentry to be available on the system. If you have gpg installed you most likely already have pinentry.

For fingerprint authentication (--auth fprintd), fprintd must be installed and running.

Pinentry configuration

By default, linux-id tries to find an appropriate pinentry GUI client by checking for various common pinentry implementations. If you encounter issues with pinentry dialogs not appearing or the automatically selected pinentry doesn't work well in your environment, you can specify a specific pinentry binary using the PINENTRY_PATH environment variable:

# Set a specific pinentry program
PINENTRY_PATH=/usr/bin/pinentry-qt5 ./linux-id

You can typically find installed pinentry programs by running ls /usr/bin/pinentry*.

Contributing

Please feel free to open an issue or PR if you have any suggestions or improvements.