Skip to content
@tillitis

Tillitis AB

README.md

Tillitis

Hello! This is Tillitis AB's Github presence. Tillitis is the maker of the TKey, a new kind of USB security device.

Current Work in Progress

We currently work on FIDO2.

As soon as we have setup a milestone for the FIDO2 release we will publish it so progress can be followed. Meanwhile, check out the fido2-demo repository which contains the demo we showed at SecurityFest 2025.

NB: It's only a demo. Try it for fun, do not use in production.

NB2: FIDO2 runs only on Castor platform, currently in alpha release.

About repositories, branches and releases

Main branches in all repositories are in development. We aim to keep main branches buildable and workning at all times, but it's not guaranteed and there are some things to keep in mind:

  • Main branches can be incompatible between repositories.
  • To ensure compatibility between repositories use tagged releases, where compatibility is noted.
  • Main branch can be used for e.g. early testing of new features.

Team & keys

The core team is made up of:

From 2025-09-17 we sign our Git tags with our SSH keys, which of course is on our TKeys. We no longer sign individual commits. To verify the tag signatures you need our allowed_signers file. Use like this:

git -c gpg.ssh.allowedSignersFile=/path/to/allowed_signers verify-tag v0.0.1

Or copy the file to the repo you are working in.

Transition from PGP

On 2025-09-17 we stopped using PGP for Git. To ensure trust in the new SSH keys in allowed_signers one of us will sign this file with PGP every time it changes during a transition time, until we start signing it with a Tillitis vendor key.

You can verify that one of us has signed it by downloading:

and then run:

$ gpg --verify allowed_signers.sig

You are already assumed to have all our PGP keys (linked above).

To help trust the transition here are our SSH keys signed by our former PGP keys (first part of e-mail address in allowed_signers in parenthesis):

You can verify a PGP signature of one of our SSH key by running a command like this:

$ gpg --verify mc-ssh.asc
gpg: Signature made Wed 17 Sep 2025 01:42:30 PM CEST
gpg:                using RSA key 52C45DA02B1AC8AC9565FB73D3DB3DDF57E704E5
gpg: Good signature from "Michael Cardell Widerkrantz <mc@tillitis.se>" [ultimate]
gpg:                 aka "Michael Cardell Widerkrantz (code signing) <mc@mullvad.net>" [ultimate]
Primary key fingerprint: 52C4 5DA0 2B1A C8AC 9565  FB73 D3DB 3DDF 57E7 04E5

Again, you are assumed to already have our PGP keys (linked to above).

Former members

Pinned Loading

  1. tillitis-key1 tillitis-key1 Public

    FPGA verilog and firmware for TKey, the flexible and open USB security key 🔑

    C 426 29

  2. tkey-ssh-agent tkey-ssh-agent Public

    SSH Agent for TKey, the flexible open hardware/software USB security key 🔑

    Go 139 16

  3. tkey-libs tkey-libs Public

    TKey device libs

    C 7 4

  4. tkey-devtools tkey-devtools Public

    Development tools for Tillitis TKey

    Go 3 1

  5. tkeyclient tkeyclient Public

    Go package for a TKey client

    Go 2 2

  6. tkey-device-signer tkey-device-signer Public

    Ed25519 signer for the Tillitis TKey

    C 1 2

Repositories

Showing 10 of 37 repositories
View all repositories

Most used topics

Loading…