From my testing of several hardware U2F implementations, the test-of-user-presence (touching the button) unlocks the device for an amount of time. During this time multiple authentication/registration will succeed without further user interaction. Even without this behavior though, hardware tokens don't indicate which site your authenticating with. Malware could just make an authentication request right as some user action triggers a legitimate authentication request.
I've only tested on Sierra, so I'm not terribly surprised that this doesn't work. Would you mind opening an issue so I can help debug? https://github.com/github/SoftU2F/issues/new
My understanding is that the FF softtoken was intended to be temporary while they worked on their HID support. That might not be the case any longer though.
Yeah, the software token was only intended for testing purposes.[1] HID support is supposedly a goal for later this year.[2] There is also a third-party(?) add-on for hardware token support[3], but apparently it will stop working with FF 57 as it not was not written for WebExtensions.
(Disclaimer: not affiliated with Mozilla; I just check in on bug 1065729 every so often.)
I think the greatest practical threat to TOTP is phishing. U2F, regardless of where keys are stored, binds a keypair to an origin. Only authentication requests from `github.com` can use the `github.com` keys. For my money, any U2F implementation is a win over any TOTP.
There is a known bug where leading whitespace can cause the key to not be parsed. Also, check that you're only trying to upload a single key, and not your entire keyring.
It shouldn't be necessary to push a new signed commit for old ones to start showing the "verified" badge. We do cache some of our templates though, so it may take a while for some pages to be updated.
For what it's worth, I had that same error message (OS X), and I managed to fix it. After using homebrew to make sure my git was up-to-date and gpg was also installed correctly, I told git where gpg is (for some reason, despite being in my PATH, it wasn't registering?):
git config --global gpg.program /usr/local/bin/gpg
After that, I had to make a tweak to gpg so I didn't get another annoying error. In ~/.gnupg/gpg.conf, adding 'no-tty' got everything working smoothly.
I agree that that was way too tedious, but it did work out. :)
> There is no UI that allows you to specify that you want the merge commit to be signed.
Ah ok, I see what you mean. I don't think theres a way to have rebase re-sign things inside SourceTree either, I run in to that one constantly and have to open a terminal.
