Simon Gardling
26401f5316
BIOS 2423→4101 update on yarn required an fTPM reset, which broke the sealed age identity at /var/lib/agenix/tpm-identity. Bootstrapped a new identity against the new SRK and rotated yarn's recipient. age-plugin-tpm 1.0+ emits age1tag1… (p256tag) recipients by default and refuses to encrypt to legacy age1tpm1… ones, so rotated mreow's recipient to the same encoding (same key, new bech32 HRP) and added an age-plugin-tag→age-plugin-tpm symlink in the rage wrapper so rage's plugin dispatch finds the binary under the new prefix. Stripped the trailing host labels from the tpm recipient strings — rage's stricter bech32 parser now rejects the trailing whitespace; labels live in adjacent Nix comments instead.
2.8 KiB
2.8 KiB