linux-credentials · iinuwa · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -28,7 +28,6 @@ jobs:
           workspaces: ". -> build/target"
           cache-workspace-crates: true
 
-
       - name: Update apt cache
         run: sudo apt update
       - name: Install system dependencies
@@ -45,7 +44,7 @@ jobs:
           # Newer version needed for --interactive flag needed below
           python3 -m pip install --user -v 'meson==1.5.0'
       - name: Setup meson project
-        run: meson setup -Dprofile=development build
+        run: meson setup -Dprofile=development -Dcargo_locked=true build
 
       - name: Build
         run: ninja -C build

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,8 +7,6 @@ lto = true
 
 [workspace.dependencies]
 futures-lite = "2.6.0"
-# libwebauthn = "0.2"
-libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn.git", rev="9e4e5d7", features = ["libnfc","pcsc"] }
 serde = { version = "1.0.219", features = ["derive"] }
 tracing = "0.1.41"
 tracing-subscriber = "0.3.19"

diff --git a/credentialsd-common/Cargo.toml b/credentialsd-common/Cargo.toml
@@ -7,6 +7,5 @@ license = "LGPL-3.0-only"
 
 [dependencies]
 futures-lite.workspace = true
-libwebauthn.workspace = true
 serde = { workspace = true, features = ["derive"] }
 zvariant.workspace = true
diff --git a/credentialsd-common/meson.build b/credentialsd-common/meson.build
@@ -8,7 +8,9 @@ cargo_options = [
   '--manifest-path', meson.project_source_root() / meson.current_source_dir() / 'Cargo.toml',
 ]
 cargo_options += ['--target-dir', cargo_target_dir]
-cargo_options += '--locked'
+if get_option('cargo_locked') == true
+  cargo_options += '--locked'
+endif
 if get_option('cargo_offline') == true
   cargo_options += ['--offline']
 endif

diff --git a/credentialsd-common/src/model.rs b/credentialsd-common/src/model.rs
@@ -3,87 +3,13 @@ use std::{fmt::Display, path::PathBuf};
 use serde::{Deserialize, Serialize};
 use zvariant::{SerializeDict, Type};
 
-pub use libwebauthn::ops::webauthn::{
-    Assertion, GetAssertionRequest, MakeCredentialRequest, MakeCredentialResponse,
-};
-
 #[derive(Clone, Debug, Default, Serialize, Deserialize)]
 pub struct Credential {
     pub id: String,
     pub name: String,
     pub username: Option<String>,
 }
 
-#[derive(Clone, Debug)]
-pub enum CredentialRequest {
-    CreatePublicKeyCredentialRequest(MakeCredentialRequest),
-    GetPublicKeyCredentialRequest(GetAssertionRequest),
-}
-
-#[derive(Clone, Debug)]
-pub enum CredentialResponse {
-    CreatePublicKeyCredentialResponse(Box<MakeCredentialResponseInternal>),
-    GetPublicKeyCredentialResponse(Box<GetAssertionResponseInternal>),
-}
-
-impl CredentialResponse {
-    pub fn from_make_credential(
-        response: &MakeCredentialResponse,
-        transports: &[&str],
-        modality: &str,
-    ) -> CredentialResponse {
-        CredentialResponse::CreatePublicKeyCredentialResponse(Box::new(
-            MakeCredentialResponseInternal::new(
-                response.clone(),
-                transports.iter().map(|s| s.to_string()).collect(),
-                modality.to_string(),
-            ),
-        ))
-    }
-
-    pub fn from_get_assertion(assertion: &Assertion, modality: &str) -> CredentialResponse {
-        CredentialResponse::GetPublicKeyCredentialResponse(Box::new(
-            GetAssertionResponseInternal::new(assertion.clone(), modality.to_string()),
-        ))
-    }
-}
-
-#[derive(Clone, Debug)]
-pub struct MakeCredentialResponseInternal {
-    pub ctap: MakeCredentialResponse,
-    pub transport: Vec<String>,
-    pub attachment_modality: String,
-}
-
-impl MakeCredentialResponseInternal {
-    pub fn new(
-        response: MakeCredentialResponse,
-        transport: Vec<String>,
-        attachment_modality: String,
-    ) -> Self {
-        Self {
-            ctap: response,
-            transport,
-            attachment_modality,
-        }
-    }
-}
-
-#[derive(Clone, Debug)]
-pub struct GetAssertionResponseInternal {
-    pub ctap: Assertion,
-    pub attachment_modality: String,
-}
-
-impl GetAssertionResponseInternal {
-    pub fn new(ctap: Assertion, attachment_modality: String) -> Self {
-        Self {
-            ctap,
-            attachment_modality,
-        }
-    }
-}
-
 #[derive(SerializeDict, Type)]
 #[zvariant(signature = "dict", rename_all = "camelCase")]
 pub struct GetClientCapabilitiesResponse {

diff --git a/credentialsd-ui/meson.build b/credentialsd-ui/meson.build
@@ -65,7 +65,9 @@ cargo_options = [
   '--manifest-path', meson.project_source_root() / gui_source_dir / 'Cargo.toml',
 ]
 cargo_options += ['--target-dir', cargo_target_dir]
-cargo_options += '--locked'
+if get_option('cargo_locked') == true
+  cargo_options += '--locked'
+endif
 if get_option('cargo_offline') == true
   cargo_options += ['--offline']
 endif

diff --git a/credentialsd/Cargo.toml b/credentialsd/Cargo.toml
@@ -10,14 +10,13 @@ async-stream = "0.3.6"
 base64 = "0.22.1"
 credentialsd-common = { path = "../credentialsd-common" }
 futures-lite.workspace = true
-libwebauthn.workspace = true
+libwebauthn = { git = "https://github.com/linux-credentials/libwebauthn.git", rev="80545bff16c4e89a930221e90d3141a76303b84b", features = ["libnfc","pcsc"] }
 # TODO: split nfc and pcsc into separate features
 # Also, 0.6.1 fails to build with non-vendored library.
 # https://github.com/alexrsagen/rs-nfc1/issues/15
 nfc1 = { version = "=0.6.0", default-features = false }
 rand = "0.9.2"
 ring = "0.17.14"
-rustls = { version = "0.23.27", default-features = false, features = ["std", "tls12", "ring", "log", "logging", "prefer-post-quantum"] }
 serde.workspace = true
 serde_json = "1.0.140"
 tokio = { version = "1.45.0", features = ["rt-multi-thread"] }

diff --git a/credentialsd/meson.build b/credentialsd/meson.build
@@ -48,7 +48,9 @@ cargo_options = [
 cargo_options += [
   '--target-dir', cargo_target_dir,
 ]
-cargo_options += '--locked'
+if get_option('cargo_locked') == true
+  cargo_options += '--locked'
+endif
 if get_option('cargo_offline') == true
   cargo_options += ['--offline']
 endif

diff --git a/credentialsd/src/credential_service/hybrid.rs b/credentialsd/src/credential_service/hybrid.rs
@@ -12,7 +12,9 @@ use libwebauthn::transport::cable::qr_code_device::{CableQrCodeDevice, QrCodeOpe
 use libwebauthn::transport::{Channel, Device};
 use libwebauthn::webauthn::{Error as WebAuthnError, WebAuthn};
 
-use credentialsd_common::model::{CredentialRequest, Error};
+use credentialsd_common::model::Error;
+
+use crate::model::CredentialRequest;
 
 use super::AuthenticatorResponse;
 
@@ -262,7 +264,7 @@ pub(super) mod test {
         proto::ctap2::{Ctap2PublicKeyCredentialDescriptor, Ctap2Transport},
     };
 
-    use credentialsd_common::model::CredentialRequest;
+    use crate::model::CredentialRequest;
 
     use super::{HybridEvent, HybridHandler, HybridStateInternal};
     #[derive(Debug)]

diff --git a/credentialsd/src/credential_service/mod.rs b/credentialsd/src/credential_service/mod.rs
@@ -20,14 +20,14 @@ use nfc::{NfcEvent, NfcHandler, NfcState, NfcStateInternal};
 use tokio::sync::oneshot::Sender;
 
 use credentialsd_common::{
-    model::{
-        CredentialRequest, CredentialResponse, Device, Error as CredentialServiceError, Operation,
-        RequestingApplication, Transport,
-    },
+    model::{Device, Error as CredentialServiceError, Operation, RequestingApplication, Transport},
     server::{RequestId, ViewRequest, WindowHandle},
 };
 
-use crate::credential_service::{hybrid::HybridEvent, usb::UsbEvent};
+use crate::{
+    credential_service::{hybrid::HybridEvent, usb::UsbEvent},
+    model::{CredentialRequest, CredentialResponse},
+};
 
 use self::{
     hybrid::{HybridHandler, HybridState, HybridStateInternal},
@@ -378,7 +378,9 @@ mod test {
     use std::{sync::Arc, time::Duration};
 
     use libwebauthn::{
-        ops::webauthn::{ResidentKeyRequirement, UserVerificationRequirement},
+        ops::webauthn::{
+            MakeCredentialRequest, ResidentKeyRequirement, UserVerificationRequirement,
+        },
         proto::ctap2::{
             Ctap2COSEAlgorithmIdentifier, Ctap2CredentialType, Ctap2PublicKeyCredentialRpEntity,
             Ctap2PublicKeyCredentialType, Ctap2PublicKeyCredentialUserEntity,
@@ -389,9 +391,10 @@ mod test {
     use crate::{
         credential_service::usb::InProcessUsbHandler,
         dbus::test::{DummyFlowServer, DummyUiServer},
+        model::CredentialRequest,
         webauthn,
     };
-    use credentialsd_common::model::{CredentialRequest, MakeCredentialRequest, Operation};
+    use credentialsd_common::model::Operation;
 
     use super::{
         hybrid::{test::DummyHybridHandler, HybridStateInternal},

diff --git a/credentialsd/src/credential_service/nfc.rs b/credentialsd/src/credential_service/nfc.rs
@@ -14,9 +14,9 @@ use tokio::sync::broadcast;
 use tokio::sync::mpsc::{self, Receiver, Sender, WeakSender};
 use tracing::{debug, warn};
 
-use credentialsd_common::model::{
-    Credential, CredentialRequest, Error, GetAssertionResponseInternal,
-};
+use credentialsd_common::model::{Credential, Error};
+
+use crate::model::{CredentialRequest, GetAssertionResponseInternal};
 
 use super::{AuthenticatorResponse, CredentialResponse};
 

diff --git a/credentialsd/src/credential_service/usb.rs b/credentialsd/src/credential_service/usb.rs
@@ -17,9 +17,9 @@ use tokio::sync::broadcast;
 use tokio::sync::mpsc::{self, Receiver, Sender, WeakSender};
 use tracing::{debug, warn};
 
-use credentialsd_common::model::{
-    Credential, CredentialRequest, Error, GetAssertionResponseInternal,
-};
+use credentialsd_common::model::{Credential, Error};
+
+use crate::model::{CredentialRequest, GetAssertionResponseInternal};
 
 use super::{AuthenticatorResponse, CredentialResponse};