Add a USB security key to u2f-devices, but don't have an ID

Hey Snapcrafters!

I have a security key using WearAuthn, an app that lets you use a WearOS watch as a security key over Bluetooth. The key appears as an hidraw device.

I’d like to get these keys added to the u2f-devices allow list, found at the snapd github.

Problem is, I can’t find the vendor/ID for these devices, and even if I did, there’s a good chance it’ll be different for every model of watch.

dmesg has the following line for connection:

hid-generic 0005:00E0:1200.001C: hidraw5: BLUETOOTH HID v14.36 Device [OPPO Watch 812C] on d4:25:8b:ef:5b:fe

But nothing new shows up in lsusb:

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 138a:0097 Validity Sensors, Inc. 
Bus 001 Device 004: ID 13d3:5682 IMC Networks SunplusIT Integrated Camera
Bus 001 Device 003: ID 8087:0a2b Intel Corp. Bluetooth wireless interface
Bus 001 Device 012: ID 046d:c52f Logitech, Inc. Unifying Receiver
Bus 001 Device 006: ID 056a:50b6 Wacom Co., Ltd Pen and multitouch sensor
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I suspect that it may show up under the Bluetooth adapter (8087:0a2b), but that means that there’s a potentially huge list of IDs to add.

So here’s my question: How can I find out the ID of my key? (I’ll probably try and get it added to the list anyway.)

If it turns out to be the bluetooth adapter’s ID, what should I do to get it added to the list/how can I find out a common criteria to add it to the list?

That list contains USB devices for which snapd generates udev rules to match and tag them for relevant snaps. The list contains vendor/product IDs which are a standard property of each USB device.

I’m afraid the hidraw devices will be more opaque. At least looking at the udev dump of things that are in my system, there’s very little to tell one device from another except for the device path and its major and minor numbers.

Can you attach the output of:

udevadm info /dev/hidraw5

(or the appropriate hidraw device once it connects)? The output will be very terse, can you then grab the output of:

udevadm info /sys/<device-path>

where you append the content of the P: /devices/... (starting from /devices) line from the previous dump?

Interesting you should mention “udev rules”: the WearAuthn GitHub has a section in their README about setting up udev rules for your system.

Note that I’ve followed the steps in the README already, so that might influence the output of the commands. I don’t understand it much myself, but it might make more sense to you :slight_smile:

Here’s the output you asked for:

$ udevadm info /dev/hidraw5
P: /devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0/bluetooth/hci0/hci0:512/0005:00E0:1200.0035/hidraw/hidraw5
N: hidraw5
L: 0
E: DEVPATH=/devices/pci0000:00/0000:00:14.0/usb1/1-7/1-7:1.0/bluetooth/hci0/hci0:512/0005:00E0:1200.0035/hidraw/hidraw5
E: DEVNAME=/dev/hidraw5
E: MAJOR=240
E: ID_PATH=pci-0000:00:14.0-usb-0:7:1.0
E: ID_PATH_TAG=pci-0000_00_14_0-usb-0_7_1_0
E: ID_FOR_SEAT=hidraw-pci-0000_00_14_0-usb-0_7_1_0
E: TAGS=:seat:uaccess:security-device:
E: CURRENT_TAGS=:seat:uaccess:security-device:

The second command has the same output.

Hope that helps somewhat.

Thanks. Looks like:


are set by or a fido_id from systemd, for which there’s a udev rule to import whatever properties it sets.

OK… so you think the udev rule that I need to submit to u2f-devices would be there? Looking through the files doesn’t have anything that looks like a vendor/ID.

I honestly have no idea how udev rules work, so I’m at a loss for what anything in that repo means :confused:

Bumping (sorry) because I’ve figured out the udev rule that gets added. This rule successfully allows the watch to talk to the system - this was already being handled when u2f-hidraw-policy (see above) was installed. Now, it’s just Firefox in the way! Here’s the entire file:

# do not edit this file, it will be overwritten on update

ACTION=="remove", GOTO="u2f_hidraw_end"

SUBSYSTEM=="hidraw", IMPORT{program}="u2f_hidraw_id --udev"


Ignoring trying to get WearAuthn added to the list of allowed devices, how can I modify my own installation of Firefox (preferably permanently) to allow WearAuthn to be read? I’m assuming that snaps have their own internal udev ruleset somewhere (seems to be the case from the u2f-devices list). If so, where & how can I access/change it, and does that do what I need?

Thanks in advance. (I’ll post this on Ask Ubuntu too.)