The project which was about as fun as fucking a cactus
Do you ever get those ideas that you think would be easy, but then it becomes a massive pain to deal with due to outside factors?
Well, this is such a project.
As an aside, it's rather long and rambly for Tumblr standards, so it's under a read more.
Want to read more about it? Well, okay then.
You see, the Raspberry Pi Pico 2, alongside the various board and clones based on the RP2350 series chips have a level of security that makes it good for one project in particular. Converting it into an authenticator tool for FIDO and FIDO2.
Now, to do this, firmware exists called PicoKeys, that, until recently, was pretty simple. Download, drag it onto the Pico, set it up through the configurator on the website, and off you go. Easy, right?
Well.. no FOSS project is immune from the flights of fancy of a core developer. This is no exception.
You see, the guy either lost the plot, or decided to refactor the entire project.. without warning, without doing it on a separate repo, and completely and utterly messed it up for everyone involved. Leaving everyone in a lurch without a way out!
Fortunately, I was able to rescue the last known good copy of the repo that he had, and copied it over to a Git forge ran by a friend, alongside the libraries needed. So I could have both FIDO/2 and OpenPGP (Which really shouldn't be used at this point, but people are resistant to change, even if it makes things easier), much like commercial offerings. So, I compiled it with Secure Boot, to protect the firmware from attack. This was confusing at first, but I got the hang of it in the end. Good.
Now, we run into a major problem. You see, the guy deleted the configurator off the site, and to make matters worse, had a Python configuration library, but deleted it when people started using it, which makes me wonder if he's trying to pull the plug on the project.
Someone had the foresight to mirror it, which I also promptly did, and downloaded and installed the library, alongside the configuration tool. It was at that point I ran into a roadblock.
With the default dummy VID and PID (USB descriptors), I wasn't able to configure it using the tool. If it did have a valid set, then it work. Yet I was able to bypass it with Windows. I didn't want to rely on Windows though, so I tried to find another solution.
Thankfully, the Internet Archive had a copy of the tool on the Wayback machine before the guy went rouge, so I was able to patch the PID and VID for it to work. This would go some way to explain why the politicos want to destroy it.
So I got it working in the end.
Fuck me.
