Merge release branch 1.2.6

.github/workflows/windows-x64.yml

@@ -15,17 +15,16 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions/setup-python@v1
         with:
-          python-version: '3.11.1'
+          python-version: '3.11.8'
           architecture: 'x64'
 
       - name: Install Qt
-        uses: jurplel/install-qt-action@v2.10.0
+        uses: jurplel/install-qt-action@v3
         with:
           version: '5.14.1'
           host: 'windows'
           target: 'desktop'
           arch: 'win64_msvc2017_64'
-          aqtversion: '==0.9.7'
 
       - name: Download dependencies
         run: |

.github/workflows/windows-x86.yml

@@ -15,17 +15,16 @@ jobs:
       - uses: actions/checkout@v1
       - uses: actions/setup-python@v1
         with:
-          python-version: '3.11.1'
+          python-version: '3.11.8'
           architecture: 'x86'
 
       - name: Install Qt
-        uses: jurplel/install-qt-action@v2.10.0
+        uses: jurplel/install-qt-action@v3
         with:
           version: '5.14.1'
           host: 'windows'
           target: 'desktop'
           arch: 'win32_msvc2017'
-          aqtversion: '==0.9.7'
 
       - name: Download dependencies
         run: |

NEWS

@@ -1,3 +1,7 @@
+* Version 1.2.6 (released 2024-04-04)
+ ** Windows-only security fix, see advisory:
+    https://www.yubico.com/support/security-advisories/ysa-2024-01/
+
 * Version 1.2.5 (released 2023-02-02)
  ** Compatibility update for ykman 5.0.1.
  ** Update to Python 3.11.

requirements.txt

@@ -1 +1,2 @@
-yubikey-manager==5.0.1
+yubikey-manager==5.0.1
+cryptography==39.0.0

ykman-cli/ykman-cli.pro

@@ -24,6 +24,12 @@ mac|win32 {
     QMAKE_CLEAN += -r pymodules
 }
 
+win32 {
+    QMAKE_CFLAGS += /guard:cf
+    QMAKE_CXXFLAGS += /guard:cf
+    QMAKE_LFLAGS += /guard:cf
+}
+
 macx {
     pip.commands = python3 -m venv pymodules && source pymodules/bin/activate && pip3 install -r ../requirements.txt && deactivate
 }

ykman-gui/qml/ContentStack.qml

@@ -168,6 +168,14 @@ StackView {
                     callback)
     }
 
+    function otpUrl(url) {
+        copyableConfirmationPopup.show(
+                    qsTr("Upload"), qsTr(
+                        "Complete the upload of your credential by visiting the following URL: %1").arg(
+                        url),
+                    )
+    }
+
     function otpWriteError() {
         snackbarError.show(
                     qsTr("Failed to modify %1. Make sure the YubiKey does not have restricted access.").arg(
@@ -337,6 +345,10 @@ StackView {
         id: confirmationPopup
     }
 
+    CopyableConfirmationPopup {
+        id: copyableConfirmationPopup
+    }
+
     PivPinPopup {
         id: pivPinPopup
     }
@@ -360,4 +372,4 @@ StackView {
     SnackBarError {
         id: snackbarError
     }
-}
+}

ykman-gui/qml/CopyableConfirmationPopup.qml

@@ -0,0 +1,37 @@
+import QtQuick 2.9
+import QtQuick.Controls 2.2
+import QtQuick.Layouts 1.2
+
+InlinePopup {
+
+    property var acceptCallback
+    standardButtons: Dialog.Ok
+    focus: true
+
+    function show(heading, message) {
+        confirmationHeading.text = heading
+        confirmationLbl.text = message
+        open()
+    }
+
+    ColumnLayout {
+        width: parent.width
+        spacing: 20
+        Heading2 {
+            id: confirmationHeading
+            width: parent.width
+            Layout.maximumWidth: parent.width
+        }
+
+        TextInput {
+            id: confirmationLbl
+            wrapMode: Text.WordWrap
+            font.pixelSize: constants.h3
+            color: yubicoBlue
+            selectByMouse: true
+            readOnly: true
+            Layout.maximumWidth: parent.width
+            width: parent.width
+        }    
+    }
+}

ykman-gui/qml/Header.qml

@@ -5,6 +5,7 @@ import QtQuick.Dialogs 1.2
 import QtQuick.Controls.Material 2.2
 
 ColumnLayout {
+
     spacing: 0
     width: app.width
     function activeKeyLbl() {
@@ -19,6 +20,7 @@ ColumnLayout {
         }
     }
 
+
     RowLayout {
         Layout.fillWidth: true
         Layout.alignment: Qt.AlignRight
@@ -33,14 +35,17 @@ ColumnLayout {
                 Layout.alignment: Qt.AlignRight | Qt.AlignVCenter
                 color: yubicoBlue
                 font.pixelSize: constants.h4
-            }
+            }   
             CustomButton {
+
                 flat: true
                 text: qsTr("Help")
                 Layout.alignment: Qt.AlignRight | Qt.AlignVCenter
                 iconSource: "../images/help.svg"
                 toolTipText: qsTr("Visit Yubico Support in your web browser")
-                onClicked: Qt.openUrlExternally("https://www.yubico.com/kb")
+                onClicked: yubiKey.isWinAdmin ? helpPopup.show(
+                    qsTr("Help"), qsTr(
+                        "Visit the following URL for support with YubiKey Manager: https://www.yubico.com/kb")) : Qt.openUrlExternally("https://www.yubico.com/kb")
                 font.pixelSize: constants.h4
             }
             CustomButton {
@@ -52,6 +57,8 @@ ColumnLayout {
                 onClicked: aboutPage.open()
                 font.pixelSize: constants.h4
             }
+
+
         }
     }
 
@@ -134,4 +141,4 @@ ColumnLayout {
         Layout.fillHeight: true
         color: yubicoGreen
     }
-}
+}

ykman-gui/qml/OtpYubiOtpView.qml

@@ -5,6 +5,8 @@ import "slotutils.js" as SlotUtils
 import QtQuick.Controls.Material 2.2
 
 ColumnLayout {
+    property bool upload
+    property string url
 
     function useSerial() {
         if (useSerialCb.checked) {
@@ -40,12 +42,21 @@ ColumnLayout {
                            enableUpload.checked, function (resp) {
                                if (resp.success) {
                                    if (resp.upload_url) {
-                                       if (Qt.openUrlExternally(resp.upload_url)) {
-                                           snackbarSuccess.show(qsTr("Configured Yubico OTP credential. Preparing upload in web browser."))
-                                           views.otp()
-                                       } else {
-                                           snackbarError.show(qsTr("Configured Yubico OTP credential. Failed to open upload in web browser!"))
-                                       }
+                                        if (yubiKey.isWinAdmin) {
+                                            upload = true
+                                            url = resp.upload_url
+                                            otpUrl(url, views.otp())
+
+                                            views.otp()
+                                        } else {
+                                            if (Qt.openUrlExternally(resp.upload_url)) {
+                                               snackbarSuccess.show(qsTr("Configured Yubico OTP credential. Preparing upload in web browser."))
+                                               views.otp()
+                                           } else {
+                                               snackbarError.show(qsTr("Configured Yubico OTP credential. Failed to open upload in web browser!"))
+                                           }
+                                        }
+
                                    } else {
                                        snackbarSuccess.show(
                                                qsTr("Configured Yubico OTP credential"))
@@ -180,34 +191,33 @@ ColumnLayout {
                 flat: true
                 Layout.alignment: Qt.AlignLeft | Qt.AlignBottom
             }
-
             Row {
                 id: row
                 spacing: 5
                 Layout.alignment: Qt.AlignRight | Qt.AlignBottom
                 CheckBox {
                     id: enableUpload
-                text: qsTr("Upload")
-                Layout.alignment: Qt.AlignRight | Qt.AlignBottom
-                ToolTip.delay: 1000
-                font.pixelSize: constants.h3
-                ToolTip.visible: hovered
-                ToolTip.text: qsTr("Upload credential to YubiCloud (opens a web browser)")
-                Material.foreground: yubicoBlue
-            }
+                    text: qsTr("Upload")
+                    Layout.alignment: Qt.AlignRight | Qt.AlignBottom
+                    ToolTip.delay: 1000
+                    font.pixelSize: constants.h3
+                    ToolTip.visible: hovered
+                    ToolTip.text: qsTr("Upload credential to YubiCloud (opens a web browser)")
+                    Material.foreground: yubicoBlue
+                }
 
-            FinishButton {
+                FinishButton {
 
-                onClicked:  finish()
-                enabled: publicIdInput.acceptableInput
-                           && privateIdInput.acceptableInput
-                           && secretKeyInput.acceptableInput
-                toolTipText: qsTr("Finish and write the configuration to the YubiKey")
-                Layout.alignment: Qt.AlignRight | Qt.AlignBottom
-            }
+                    onClicked:  finish()
+                    enabled: publicIdInput.acceptableInput
+                               && privateIdInput.acceptableInput
+                               && secretKeyInput.acceptableInput
+                    toolTipText: qsTr("Finish and write the configuration to the YubiKey")
+                    Layout.alignment: Qt.AlignRight | Qt.AlignBottom
+                }
 
             }
 
         }
     }
-}
+}

ykman-gui/qml/YubiKey.qml

@@ -13,6 +13,7 @@ Python {
     property string serial
     property bool canWriteConfig
     property bool configurationLocked
+    property bool isWinAdmin: true
 
     property var applicationsEnabledOverUsb: []
     property var applicationsEnabledOverNfc: []
@@ -77,6 +78,16 @@ Python {
             path = path + '/pymodules'
         }
 
+        if (Qt.platform.os === "windows") {
+            importModule('ctypes', function () {
+                call('ctypes.windll.shell32.IsUserAnAdmin', [], function (res) {
+                    isWinAdmin = (res === 1)
+                })
+            })
+        } else {
+            isWinAdmin = false
+        }
+
         importModule('site', function () {
             call('site.addsitedir', [path], function () {
                 addImportPath(urlPrefix + '/py')

ykman-gui/qml/main.qml

@@ -143,4 +143,8 @@ ApplicationWindow {
     AboutPagePopup {
         id: aboutPage
     }
+
+    CopyableConfirmationPopup {
+        id: helpPopup
+    }
 }

ykman-gui/ykman-gui.pro

@@ -5,12 +5,12 @@ SOURCES += main.cpp
 
 # This is the internal verson number, Windows requires 4 digits.
 win32|win64 {
-    VERSION = 1.2.5.0
+    VERSION = 1.2.6.0
 } else {
-    VERSION = 1.2.5
+    VERSION = 1.2.6
 }
 # This is the version shown on the About page
-DEFINES += APP_VERSION=\\\"1.2.5\\\"
+DEFINES += APP_VERSION=\\\"1.2.6\\\"
 
 message(Version of this build: $$VERSION)
 
@@ -42,6 +42,12 @@ macx {
     pip.commands = pip3 install -r ../requirements.txt --target pymodules
 }
 
+win32 {
+    QMAKE_CFLAGS += /guard:cf
+    QMAKE_CXXFLAGS += /guard:cf
+    QMAKE_LFLAGS += /guard:cf
+}
+
 # Default rules for deployment.
 include(deployment.pri)