Hey, I have a Nitrokey Fido2, and awhile back I tried to upgrade the firmware with pynitrokey on Linux, however, the upgrade failed despite me having the appropriate udev rules set on my machine. Here is the log output:
2823 DEBUG root print: After update version check...
72824 DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw1'
72824 DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw0'
73080 DEBUG fido2.hid.linux Found CTAP device: /dev/hidraw3
73080 DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw1'
73080 DEBUG fido2.hid.linux Skip device: [Errno 13] Permission denied: '/dev/hidraw0'
73137 DEBUG fido2.hid SEND: ffffffff86000815307c0609645017
Later I found out about https://update.nitrokey.com, however, that also fails to help me update, and thus unbrick, my Nitrokey Fido2. It stops at this screen:
What is the
umask for user
root on your system?
The default udev rules lack
MODE="0664"so if the system
umask is tightened (e.g. disallowing access by other users by default), it does not get set properly by udev and you might not have access to
/dev/hidraw* as is also indicated by the error message. Without access, the update cannot continue.
My root user’s umask is 0022, at least that is what the output is when I type
umask as root. Also, I am unfamiliar with udev in Linux to be honest, so I don’t know how to set that rule. I do not even understand what it does - much less what it is. I downloaded the udev rules from https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules, and put them in my udev directory at
That is a rather default umask and should work. Also read the rules you mentioned and it uses
uaccess which is another mechanism to provide access to hidraw devices besides user and group permissions.
Then I guess that pynitrokey does not properly resume update. Someone from Nitrokey might have some insights about the Nitrokey FIDO2 update whether it can be resumed like e.g. Nitrokey 3. You could write to firstname.lastname@example.org.
The Nitrokey Fido2 erases the firmware before installing the new firmware. Also it stays in bootloader mode until a valid firmware image gets flashed. This is per the Nitrokey Fido2 Documentation. Also, I did write to Nitrokey support before coming to the forum, but I have yet to receive a reply from them.
- I do not see any error messages - can you make a screen shot when it fails in browser?
Ideal would be log from the console
nitropy, the pasted messages are correct and expected - only one CTAP device is found and connectable. What about the other lines?
Please make sure your pynitrokey is up to date. What version do you use?
Here is a picture of the webupdate page. Additionally, I am using whatever version of PyNitrokey I had installed via pip on Arch Linux. I do not have access to that computer at the moment so I cannot check.
Below is a workaround for this problem: