U2f config in Global Config Issues under 4.3

Hi, i´m struggling with u2f config.

Under Globbal-Config → USB
when i add a qube to “Enable registering new keys”
and click “Apply Changes”

i see the new added qube as one line added to /etc/policy.d/50-config-u2f.policy

but is not shown in the list in Global-Config,
Only when i click the button “Apply Changes and close”
After reopen, the missing qubes is listed.
When only clicking “Apply Changes” and switching to Global-Config->Updates, a popup occures, to Save the changes.
Clicking, “Save” removes the line from the policy File, it writes then the current status of the GUI (without the added qube)

Is this a well known gui issue of Global Config?

Second:
the written u2f Policy File is missing rules:
after configure the qube to allow registering new keys, i got deny messages
while trying to register a new webauth device

related error messages:

qrexec: ctap.GetInfo: websrv-work -> sys-usb: denied: no matching rule found
ctap.ClientPin: websrv-work -> sys-usb: denied: no matching rule found

after adding this rules manually to 30-user.policy, i was able to register

Then try to login with the u2f device (Nitrokey)

the next deny message:

u2f.Authenticate+974bb5b523cad301bc54cb5cec9aa228: websrv-work -> sys-usb: denied: no matching rule found

the previously registered token is not allowed to read.

BUT

50-config-u2f.policy contains rule:

policy.RegisterArgument	+u2f.Authenticate	sys-usb	@anyvm	allow target=dom0
u2f.Authenticate	*	vault	sys-usb	allow

So what is wrong with these ruleset?
I can add manually an u2f.Authenticate rule for the specific qubes,
but i expect, that the rule

policy.RegisterArgument	+u2f.Authenticate	sys-usb	@anyvm	allow target=dom0

would do this automatically

my understanding is…
when a qube is able to register, it should able to read his own registered keys.

Do i miss something?

btw. the documentation regarding u2f/ctap is related to 4.0 or 4.1

Also it describes parts of the diagram which doesn´t exists (the vault dashed line)

Also it is unclear to which Qubes Version the installation part is related.
it describes task to /etc/qubes-rpc… which is (if i understand this documentation right) obsolete

I found this in /var/log/qubes/qrexec.sys-usb.log:

process_io.c:250:qrexec_process_io: vchan connection closed early (fds: -1 6 -1, status: -1 -1)
Traceback (most recent call last):
  File "/etc/qubes-rpc/policy.RegisterArgument", line 151, in <module>
    main()
    ~~~~^^
  File "/etc/qubes-rpc/policy.RegisterArgument", line 132, in main
    policy = FilePolicy()
TypeError: AbstractFileSystemLoader.__init__() missing 1 required keyword-only argument: 'policy_path'
2026-02-11 11:34:45.806 qrexec-daemon[19781]: process_io.c:250:qrexec_process_io: vchan connection closed early (fds: -1 6 -1, status: -1 -1)
Traceback (most recent call last):
  File "/etc/qubes-rpc/policy.RegisterArgument", line 151, in <module>
    main()
    ~~~~^^
  File "/etc/qubes-rpc/policy.RegisterArgument", line 132, in main
    policy = FilePolicy()
TypeError: AbstractFileSystemLoader.__init__() missing 1 required keyword-only argument: 'policy_path'

Is this related to the issue, that the new registered webauthn Device can´t be readed.

ok, it seems to be related to 4.3

The issue is on a new installation (from the scratch) of 4.3

On my 4.2 Machine, where the registering of a new NitroKey works as expected,
i have this file with the registered rules.

On my 4.3 machine, this file is missing aka it is not written.

can some check, registering a new webauthn Device on a website (yubikey, or nitrokey is not relevant)
and confirm that on 4.3 the file 60-registered-arguments is not written?

i find this GitHub Issue, which mentioned also the GUI behavior

And i found finally the related GitHub Issue

Hopefully there will be a fix soon.

Currently CTAP/U2F is not usable on Qubes 4.3

For me an absolute show breaker

Workaround: create manually the file 60-registered-arguments

and add the Policy there