* Fix#7892 - Pressing escape when the quick unlock prompt is shown will now go back to the main unlock dialog view.
* Fix#9030 - Quick unlock will be automatically invoked in the unlock dialog upon being shown.
* Fix#9554 - Quick unlock application setting will be updated every time the settings widget is shown instead of just on first launch.
* Show warning that quick unlock is not enabled if user cancels Windows Hello prompt. This should limit people thinking there is a security issue. Also improve documentation describing this behavior.
* Disable quick unlock in gui tests
Fixes#6190
Remove the advanced settings checkbox and replace with a dedicated tab widget interface to toggle between basic and advanced encryption settings.
Add a new propery autosaveDelay in Metadata of the db.
The property is saved in customData to not affect database structure as this setting is unique to keepasxc.
The propery sets delay to wait since last modification before saving.
Co-authored-by: jNullj <jNullj@users.noreply.github.com>
Enable buddy fields in group and entry edit pages
* Fixes#9060, you can now press Alt + [letter] to skip between fields on the group and entry edit pages.
* Move the expire checkbox to the right hand column and use the standard eye icon button for notes reveal. Only show notes reveal button if the hide notes setting is enabled.
Fix overflow of text in default auto-type sequence preview
* Fixes#9083
Add copy title shortcut (Ctrl + I)
* Closes#9109
Fix issues with menu actions being enabled incorrectly
Add accessibility description to password widget to explain how to hide/show passwords and open the generator
* Closes#9059
Add F6 shortcut to focus search
* Closes#9163
* Add configuration to hide TOTP in preview widget (shown by default).
* Retain the visibility of TOTP and other fields when the same entry remains selected in the preview panel.
* Fix disconnecting signals when switch entries / groups. This likely is going to fix crashes because we were compounding signals when focusing in on the main window.
* Fix#8952 - move translations for Cipher and KDF strings into evaluated code instead of globally defined code. The strings were being baked prior to the language being set resulting in only english being displayed.
The KeyCredentialManager::RequestCreateAsync call can fail because we can end up in a situation where Windows Hello is initially available but then becomes unavailable, such as during a remote desktop session. This commit prevents a crash by moving the call into the try-catch.
Fixes#7890
Also resets quick unlock if there is an unrecoverable error. This will not occur if the user merely canceled the Windows Hello dialog.
Supported key types are RSA, ECDSA and Ed25519.
Includes tests to compare writing out keys produce the exact same private key if read from OpenSSH format and tests against ssh-agent to ensure all no generated key is rejected.
* Fix detecting AES-256/GCM cipher, fixes#8964
When you generate a ssh key using the aes-256/gcm cipher, the cipher name in the keyfile includes an @openssh.com at the end.
* Use separate iv length for getting iv data, the assumption that the block size and iv size are equal does not hold for every cipher mode (e.g., GCM)
* Disable AES-256/GCM for now in ssh keys
Currently, the granularity for the botan gcm implementation is too large. To fix a problem with another algorithm in the library, they are multiplying
the blocksize, so by default the granularity is 64. This causes issues since the encrypted data in the key is only guaranteed to have a length that is a multiple of the block size (16).
currently, when keepassxc is not running, the command `keepassxc --lock` opens a new keepass window and blocks until the window is closed.
Especially in locking scripts this is rather unexpected and Ican't think of a case where someone explicitly starts keepass with --lock and wants this behaviour.
Rather --lock should always ensure, that there are no unlocked instances and exiting afterwards
* Rename "Database Tags" to "Searches and Tags"
* Separate searching for all entries and resetting the search
* Support selecting multiple tags to search against
* Fix using escaped quotes in search terms
* Make tag searching more precise
* Support `is:expired-#` to search for entries expiring within # days. Exclude recycled entries from expired search.
* Don't list tags from entries that are recycled
* Force hide tag auto-completion menu when tag editing widget is hidden. On rare occasions the focus out signal is not called when the tag view is hidden (entry edit is closed), this resolves that problem.
* Remove spaces from before and after tags to prevent seemingly duplicate tags from being created.
* Also fix some awkward signal/slot dances that were setup over time with the entry view and preview widget.
Allow changing tags for multiple entries through context menu
* Closes#8277 - show context menu with currently available tags in database and checks those that are set on one or more selected entries. When a tag is selected it is either set or unset on all entries depending on its checked state.
* Add ability to save searches and recall them from the "Searches and Tags" view
* Add ability to remove a tag from all entries from the "Searches and Tags" view
* Cleanup tag handling and widgets
* Fix#1090 - delay locking databases after minimize to allow for clipboard use, Auto-Type use, and browser integration use.
* Fix#6757 - prevent setting both minimize on unlock and lock on minimize settings at the same time.
* Fix#7726 - Ignore BEEP Auto-Type token when it includes spaces and numbers as well
* Close#8103 - Allow specifying specific attribute to use with PICKCHARS. If none specified, it defaults to Password.
* Fix#7811 - Notes height no longer truncated
* Fix#7949 - Improve copying attribute value to clipboard in entry preview
* Fix#7898 - Prevent copying url when copy password selected after clicking url in preview pane
* Fix#7982 - Double clicking hidden attributes in preview pane copies the value instead of ●●●●●●
* Split calls to finding hardware keys into sync and async methods. This has the side effect of simplifying the code.
* Check for keys before performing challenge/response if no keys have been found previously.
* Correct timeout of user interaction message to interact with the hardware key.
* Correct error in TestCli::testYubiKeyOption
Also added a reset decision button in session management tab
Fixes#7464
* Fix distorted button in settings page: the default margin in QToolBar is too large for our use case in a table row.
* On Windows, offer explicit methods to use the virtual keyboard style of typing. This partially reverts 1150b69836 by going back to the standard unicode method by default. However, uses can either add {MODE=VIRTUAL} to their sequence or choose "Use Virtual Keyboard" / CTRL+4 from the selection dialog.
* Took this opportunity to clean up the signature of AutoType::performAutoType and AutoType::performAutoTypeWithSequence by removing the "hideWindow" attribute.
* Show keyboard shortcuts on the selection dialog context menu
* Fix selection dialog help icon color when in dark theme
* Special thanks to @HexF and @smlu for their contributions towards this feature.
* Add MVP support for Windows Hello as a Quick Unlock solution using the WinRT API. This works by signing a random challenge vector with the Windows Hello protected key store (typically from TPM). The signed challenge is hashed using SHA-256 and then used as the encryption key to encrypt the database credentials. Credentials are encrypted using AES-256/GCM. This ensures the database password can only be decrypted following a successful authentication with Windows Hello in the future.
* Unify Touch ID and Windows Hello behavior under the Quick Unlock branding. Remove all timeout features of Touch ID as they are unnecessary and complicate the feature for no security gain.
* Quick Unlock is automatically reset only when the database key is changed vice whenever database settings are modified.
* Don't set database unlock dialog as always on top. This allows Touch ID and Windows Hello prompts to appear above the dialog properly.
* Prevent quick unlock when using AutoOpen or opening from the command line.
If relock after performing Auto-Type is enabled it will wait until
specified timeout before doing so.
Retype time is now configurable and is decreased from the old
hardcoded 30 seconds down to 15 seconds to keep the default a bit
more secure while still allowing the user to set it higher for
their liking.
To restore old behavior the user can set retype time to 0 which
will make the database relock instantly.
Auto-Type relock setting relocated to Auto-Type tab to group it
better with the other Auto-Type settings.
Previously empty associations matched any window but since you can
use a wildcard (*) if you specifically want that this change makes
it possible to define multiple sequences for the global search
if you need to.
Additionally show empty associations in the list as "(empty)" to
better differentiate between rows if no title is set.
review completed for the source file '/share/translations/keepassxc_en.ts'
on the 'tr' language.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
* Show banner message about expired entries
* Add config option and expiration offset
* Only show expiry warning on first DB unlock
* Default to on with 3-day offset from expiration
* Apply translations in tr
review completed for the source file '/share/translations/keepassxc_en.ts'
on the 'tr' language.
* Apply translations in tr
review completed for the source file '/share/translations/keepassxc_en.ts'
on the 'tr' language.
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
* show the tags in the entry preview
* allow searching by tag
* add a sidebar listing the tags in the database
* filter entries by tag on click
* Introduce a new TagsEdit widget that provides pill aesthetics, fast removal functionality and autocompletion
* add tests for the tags feature
* introduce the "is" tag for searching. Support for weak passwords and expired added.
* Remove QuaZip dependency in favor of minizip
* Remove signature checks, but maintain signatures for backwards compatibility
* Remove UI components related to certificates except for personal certificate for backwards compatibility
* Default to unsigned containers (*.kdbx)
Shows a warning when trying to open with a newer minor version than what is currently supported.
We always try to save with the lowest KDBX version possible for maximum compatibility.
- Default backupFilePath is '{DB_FILENAME}.old.kdbx' to conform to existing standards
- Implement backupPathPattern tests.
- Show tooltip on how to format database backup location text field.
* Add commands to manipulate entry attachments from the CLI
* Closes#4462
* Add the following commands:
attachment-export: Exports the content of an attachment to a specified file.
attachment-import: Imports the attachment into an entry. An existing attachment with the same name may be overwritten if the -f option is specified.
attachment-rm: Removes the named attachment from an entry.
* Add --show-attachments to the show command
This commit allows users to put alternative wordlists in a `wordlists` subdirectory below their KeePassXC directory (e.g., under Linux, `~/.config/keepassxc/wordlists`). These wordlists will then appear in the dropdown menu in the *Password Generator* widget.
In order to differentiate between lists shipped with KeePassXC and user-provided lists, the former appears with a (SYSTEM) prefix.
Fixes#6942 and fixes#4443
- Return number of deleted entries
- Fix minor memory leak
- FdoSecrets: make all prompt truly async per spec and update tests
* the waited signal may already be emitted before calling spy.wait(),
causing the test to fail. This commit checks the count before waiting.
* check unlock result after waiting for signal
- FdoSecrets: implement unlockBeforeSearch option
- FdoSecrets: make search always work regardless of entry group searching settings, fixes#6942
- FdoSecrets: cleanup gracefully even if some test failed
- FdoSecrets: make it safe to call prompts concurrently
- FdoSecrets: make sure in unit test we click on the correct dialog
Note on the unit tests: objects are not deleted (due to deleteLater event not handled).
So there may be multiple AccessControlDialog. But only one of
it is visible and is the correctly one to click on.
Before this change, a random one may be clicked on, causing the
completed signal never be sent.
* Closes#6335
* Modify application settings presentation to allow for alternative saving strategies
* Transition Database::save calls to using flags to control saving behavior. Reduces boolean flags on function call.
* Made direct write save option a local setting to prevent unintentional carry over between platforms.
* Fixes#6459
Improves the overall handling of FdoSecrets showing client executable paths to the user. It does the following:
* Check executable file existence as described in [RFC] fdosecrets: add optional confirmation to secret access (#4733)
* Show application PID and dbus address in the client list
* When the executable file is inaccessible, depending on where the client name is shown:
* when shown inline, e.g. in notification text, where space is limited, clearly say that the path is invalid
* when shown in auth dialog, show warning and print detailed info about the client
* when shown in the client list, draw a warning icon
Co-authored-by: Jonathan White <support@dmapps.us>
* Support NFC readers for hardware tokens using PC/SC
This requires a new library dependency: PCSC.
The PCSC library provides methods to access smartcards. On Linux, the third-party pcsc-lite package is used. On Windows, the native Windows API (Winscard.dll) is used. On Mac OSX, the native OSX API (framework-PCSC) is used.
* Split hardware key access into multiple classes to handle different methods of communicating with the keys.
* Since the Yubikey can now be a wireless token as well, the verb "plug in" was replaced with a more
generic "interface with". This shall indicate that the user has to present their token to the reader, or plug it in via USB.
* Add PC/SC interface for YubiKey challenge-response
This new interface uses the PC/SC protocol and API
instead of the USB protocol via ykpers. Many YubiKeys expose their functionality as a CCID device, which can be interfaced with using PC/SC. This is especially useful for NFC-only or NFC-capable Yubikeys, when they are used together with a PC/SC compliant NFC reader device.
Although many (not all) Yubikeys expose their CCID functionality over their own USB connection as well, the HMAC-SHA1 functionality is often locked in this mode, as it requires eg. a touch on the gold button. When accessing the CCID functionality wirelessly via NFC (like this code can do using a reader), then the user interaction is to present the key to the reader.
This implementation has been tested on Linux using pcsc-lite, Windows using the native Winscard.dll library, and Mac OSX using the native PCSC-framework library.
* Remove PC/SC ATR whitelist, instead scan for AIDs
Before, a whitelist of ATR codes (answer to reset, hardware-specific)
was used to scan for compatible (Yubi)Keys.
Now, every connected smartcard is scanned for AIDs (applet identifier),
which are known to implement the HMAC-SHA1 protocol.
This enables the support of currently unknown or unreleased hardware.
Co-authored-by: Jonathan White <support@dmapps.us>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'uk' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'tr' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'th' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'sv' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'es' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>
at least 80% translated for the source file '/share/translations/keepassx_en.ts'
on the 'sk' language.
Manual sync of partially translated files: untranslated content is included with an empty translation or source language content depending on file format
Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>