Update translations

Attack - KeeShare attachments can be inferred because of attachment de-duplication.

Solution - Prevent de-duplication of normal database entry attachments with those entry attachments synchronized/associated with a KeeShare database. This is done using the KeeShare database UUID injected into the hash calculation of the attachment prior to de-dupe. The attachments themselves are not modified in any way.

--------

Attack - Side channel byte-by-byte inference due to compression de-duplication of data between a KeeShare database and it's parent.

Solution - Generate a random array between 64 and 512 bytes, convert to hex, and store in the database custom data.

--------

Attack vector assumptions:
1. Compression is enabled
2. The attacker has access to a KeeShare database actively syncing with the victim's database
3. The victim's database is unlocked and syncing
4. The attacker can see the exact size of the victim's database after saving, and syncing, the KeeShare database

Thank you to Andrés Fábrega from Cornell University for theorizing and informing us of this attack vector.

.github/CONTRIBUTING.md

@@ -85,6 +85,12 @@ All pull requests must comply with the above requirements and with the [stylegui
 Translations are managed on [Transifex](https://www.transifex.com/keepassxc/keepassxc/) which offers a web interface.
 Please join an existing language team or request a new one if there is none.
 
+If you open a Pull Request with new strings that require translations, you will need to run the following:
+```
+./release-tool i18n lupdate
+```
+This will make the new strings available for translation in Transifex.
+
 ## Styleguides
 
 ### Git branch strategy

.gitignore

@@ -26,3 +26,7 @@ CMakeSettings.json
 CMakePresets.json
 .vs/
 out/
+
+# vcpkg
+vcpkg_installed*/
+

.tx/config

@@ -1,14 +1,17 @@
 [main]
-host = https://www.transifex.com
+host = https://app.transifex.com
 
-[keepassxc.share-translations-keepassxc-en-ts--develop]
+[o:keepassxc:p:keepassxc:r:share-translations-keepassxc-en-ts--develop]
-source_file = share/translations/keepassxc_en.ts
+file_filter   = share/translations/keepassxc_<lang>.ts
-file_filter = share/translations/keepassxc_<lang>.ts
+source_file   = share/translations/keepassxc_en.ts
-source_lang = en
+type          = QT
-type = QT
+minimum_perc  = 0
+resource_name = keepassxc_en.ts (develop)
+
+[o:keepassxc:p:keepassxc:r:share-translations-keepassxc-en-ts--master]
+file_filter   = share/translations/keepassxc_<lang>.ts
+source_file   = share/translations/keepassxc_en.ts
+type          = QT
+minimum_perc  = 0
+resource_name = keepassxc_en.ts (2.7.x stable)
 
-[keepassxc.share-translations-keepassxc-en-ts--master]
-source_file = share/translations/keepassxc_en.ts
-file_filter = share/translations/keepassxc_<lang>.ts
-source_lang = en
-type = QT

CHANGELOG.md

@@ -1,5 +1,164 @@
 # Changelog
 
+## 2.7.7 (2024-03-09)
+
+### Changes
+- Support USB Hotplug for Hardware Key interface [#10092]
+- Support 1PUX and Bitwarden import [#9815]
+- Browser: Add support for PassKeys [#8825, #9987, #10318]
+- Build System: Move to vcpkg manifest mode [#10088]
+
+### Fixes
+- Fix multiple TOTP issues [#9874]
+- Fix focus loss on save when the editor is not visible anymore [#10075]
+- Fix visual when removing entry from history [#9947]
+- Fix first entry is not selected when a search is performed [#9868]
+- Prevent scrollbars on entry drag/drop [#9747]
+- Prevent duplicate characters in "Also choose from" field of password generator  [#9803]
+- Security: Prevent byte-by-byte and attachment inference side channel attacks [#10266]
+- Browser: Fix raising Update Entry messagebox [#9853]
+- Browser: Fix bugs when returning credentials [#9136]
+- Browser: Fix crash on database open from browser [#9939]
+- Browser: Fix support for referenced URL fields [#8788]
+- MacOS: Fix crash when changing highlight/accent color [#10348]
+- MacOS: Fix TouchID appearing even though lid is closed [#10092]
+- Windows: Fix terminating KeePassXC processes with MSI installer [#9822]
+- FdoSecrets: Fix database merge crash when enabled [#10136]
+
+## 2.7.6 (2023-08-15)
+
+### Changes
+- Significant improvement to visual when drag/drop entries [#9698]
+- Automatically prompt for Quick Unlock when showing unlock dialog [#9697]
+- Improve colorful lock icon and fix file MIME icon on KDE [#9632]
+- Ability to search by entry UUID [#9571]
+- Add challenge-response support for NitroKey 3 [#9631]
+- Auto-Type: Disable entry level Auto-Type when disabled at group/entry [#9672]
+- Browser: Show warning when adding duplicate URL's to entry [#9588][#9635]
+- Browser: Improve error message when proxy cannot be found [#9385]
+
+### Fixes
+- Fix crash on exit on macOS [#9620]
+- Fix crash on search if entry doesn't have a group [#9633]
+- Fix several issues with Quick Unlock [#9697]
+- Enable save button when not auto-saving non-data changes [#9634]
+- Several UI/UX fixes [#9647]
+- Move toolbar back to top of window when disabling movement [#9699]
+- Browser: Fix closing password generator dialog with X button [#9636]
+- Browser: Fix handling of expired credentials [#9595]
+- Windows: Prevent white flicker when launching application [#9637]
+- Linux: Fix warning message about allow screencapture [#9638]
+- FdoSecrets: Fix access confirmation dialog showing even when disabled [#9690]
+
+## 2.7.5 (2023-05-14)
+
+### Changes
+- Add menu option to allow screenshots [#8841]
+- Add support for Botan 3 [#9388]
+- Increase max TOTP step to 24 hours [#9149]
+- Improve HTML export layout [#8987]
+- Turn search reset off by default [#9153]
+- Use QClipboard::clear() instead of setting blank text [#9148]
+- Hide group column header choice when not in search [#9171]
+- Improve look of KeePassXC logo and icons [#9355]
+- Add keyboard shortcuts for app and database settings [#9007]
+- Hide rename button from attachments preview panel [#8842]
+- Linux: Set SingleMainWindow in .desktop file [#7430]
+
+### Fixes
+- Fix crash when search clears while creating new entry [#9230]
+- Fix crash when using Windows Hello in a Remote Desktop session [#9006]
+- Fix crash in Group Edit after enabling Browser Integration [#8778]
+- Fix canceling quick unlock when it is unavailable [#9034]
+- Set password input field font correctly [#8732]
+- Greatly improve performance when rendering entry view [#9398]
+- Fix various accessibility issues [#9138]
+- Fix arrows size when expand/collapse a group [#9096]
+- Select the clone instead of the original after cloning an entry [#9070]
+- Fix bugs with preview widget [#9170]
+- Fix status bar update when switching to other DB [#9073]
+- Fix database settings spin box bug [#9101]
+- Fix Ctrl+Tab shortcut to cycle databases in unlock dialog [#8839]
+- Fix TOTP QR code maintaining square ratio [#9027]
+- Fix Auto-Type configuration page on custom sequence selection [#8752]
+- Fix unexpected behavior of `--lock` when KeePassXC is not running [#8889]
+- Make open folder icon exempt from "Apply group icon to entry" [#9205]
+- Allow setting default file open directory with env var [#9192]
+- SSH Agent: Fix support for AES-256/GCM openssh keys [#8968]
+- Browser: Fix Native Messaging script path with BSD OS's [#8835]
+- MacOS: Fix text selection for Auto-Type clear field [#9066]
+- MacOS: Don't rely on AppleInterfaceStyle for theme switching [#8615]
+- Windows: Remove registry detection of desktop shortcut [#9380]
+
+## 2.7.4 (2022-10-29)
+
+### Changes
+- Add 2 months expiration preset [#8687]
+- CLI: Add Unicode support on Windows [#8618]
+
+### Fixes
+- Fix crash on macOS when unlocking database [#8676]
+- Fix display of passwords in preview panel [#8633]
+- Fix clicking links in entry preview panel [#8644]
+- Prevent expired entries search if no results returned [#8643]
+- Browser: Revert code causing connection problems [#8665]
+- Browser: Fix socket file symbolic link on Linux [#8656]
+- Flatpak: Fix launching browser proxy service [#8680]
+- SSH Agent: Fix paegent support on Windows [#8619]
+
+## 2.7.3 (2022-10-23)
+
+### Changes
+- Enhance Tags Support and Add Saved Searches [#8435, #8607]
+- Significant improvements to entry preview panel [#7993]
+- Add password strength indicator to all password fields [#7885]
+- Limit zxcvbn entropy estimation length to 128 characters [#7748]
+- Try full URL path when fetching favicon [#8565]
+- Hide usernames in preview panel when hidden in entry view [#8608]
+- Enable dark title bar on windows when accent color is not used [#8498]
+- Add option to display passwords in color in preview panel [#7097]
+- Add XML Export option to GUI [#8524]
+- Increase entropy required for a "good" password rating to 75 [#8523]
+- Add shortcut to copy password with TOTP appended [#8443]
+- Show entry count in status bar [#8435]
+- Allow KeePassXC to be built without X11 [#8147]
+- Enable use of VivoKey Apex and Dangerous Things FlexSecure tokens [#8332]
+- Add setting for number of recent files [#8239]
+- Add Ctrl+Tab shortcut to cycle databases in unlock dialog [#8168]
+- Replace offensive words in eff_large.wordlist [#7968]
+- Auto-Type: PICKCHARS can specify attribute and ignore BEEP [#8118]
+- Linux: Add isHardwareKeySupported and refreshHardwareKeys to DBus methods [#8055]
+- Add config variable to specify default database file name [#8042]
+- Support numeric aware sorting on Windows and macOS [#8363]
+- CLI: Add `db-edit` command [#8400]
+- CLI: Add option to display all attributes with `show` command [#8256]
+- CLI: Show UUID and tags with `show` and `clip` commands [#8241]
+- Browser: Move socket into separate directory on Linux [#8030]
+- Browser: Add group setting to omit WWW subdomain when matching URLs [#7988]
+- FdoSecrets: Ask to unlock the database when creating items [#8022, #8028]
+- FdoSecrets: Skip entries in recycle bin when searching [#8021]
+
+### Fixes
+- Fix potential deadlock in UI when saving [#8606]
+- Fix newlines when copying notes from preview panel [#8542]
+- Fix dark mode detection on Linux [#8477]
+- Fix crash when deleting items in recycle bin while searching [#8117]
+- Fix crash when trying to close database during unlock [#8144]
+- Fix tabbing around the interface [#8435, #8520]
+- Fix OPVault import when there are multiple OTP fields [#8436]
+- Fix various Windows Hello bugs [#8354]
+- Fix use of Apple Watch for Quick Unlock [#8311]
+- Better handling of "Lock on Minimize" setting [#8202]
+- Check for write permission before entering portable mode [#8447]
+- Correct regex escape logic to prevent parse errors [#7778]
+- Normalize slashes and file case for last used databases [#7864, #7214]
+- Link ykcore against pthread [#7807]
+- Auto-Type: Fix menu entries in selection dialog on Windows [#7987]
+- Auto-Type: Fix use of modifiers under macOS [#8111]
+- CLI: Fix output when using clip with the -t flag [#8271]
+- Browser: Use asynchronous access confirm dialog [#8273]
+- Browser: Always send database locked/unlocked status [#8114]
+
 ## 2.7.1 (2022-04-05)
 
 ### Changes

CMakeLists.txt

@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-cmake_minimum_required(VERSION 3.3.0)
+cmake_minimum_required(VERSION 3.10.0)
 
 project(KeePassXC)
 set(APP_ID "org.keepassxc.${PROJECT_NAME}")
@@ -53,6 +53,7 @@ set(WITH_XC_ALL OFF CACHE BOOL "Build in all available plugins")
 option(WITH_XC_AUTOTYPE "Include Auto-Type." ON)
 option(WITH_XC_NETWORKING "Include networking code (e.g. for downloading website icons)." OFF)
 option(WITH_XC_BROWSER "Include browser integration with keepassxc-browser." OFF)
+option(WITH_XC_BROWSER_PASSKEYS "Passkeys support for browser integration." OFF)
 option(WITH_XC_YUBIKEY "Include YubiKey support." OFF)
 option(WITH_XC_SSHAGENT "Include SSH agent support." OFF)
 option(WITH_XC_KEESHARE "Sharing integration with KeeShare" OFF)
@@ -62,6 +63,27 @@ if(UNIX AND NOT APPLE)
 endif()
 option(WITH_XC_DOCS "Enable building of documentation" ON)
 
+set(WITH_XC_X11 ON CACHE BOOL "Enable building with X11 deps")
+
+if(APPLE)
+    # Perform the platform checks before applying the stricter compiler flags.
+    # Otherwise the kSecAccessControlTouchIDCurrentSet deprecation warning will result in an error.
+    try_compile(XC_APPLE_COMPILER_SUPPORT_BIOMETRY
+       ${CMAKE_CURRENT_BINARY_DIR}/tiometry_test/
+       ${CMAKE_CURRENT_SOURCE_DIR}/cmake/compiler-checks/macos/control_biometry_support.mm)
+    message(STATUS "Biometry compiler support: ${XC_APPLE_COMPILER_SUPPORT_BIOMETRY}")
+
+    try_compile(XC_APPLE_COMPILER_SUPPORT_TOUCH_ID
+       ${CMAKE_CURRENT_BINARY_DIR}/touch_id_test/
+       ${CMAKE_CURRENT_SOURCE_DIR}/cmake/compiler-checks/macos/control_touch_id_support.mm)
+    message(STATUS "Touch ID compiler support: ${XC_APPLE_COMPILER_SUPPORT_TOUCH_ID}")
+
+    try_compile(XC_APPLE_COMPILER_SUPPORT_WATCH
+       ${CMAKE_CURRENT_BINARY_DIR}/tiometry_test/
+       ${CMAKE_CURRENT_SOURCE_DIR}/cmake/compiler-checks/macos/control_watch_support.mm)
+    message(STATUS "Apple watch compiler support: ${XC_APPLE_COMPILER_SUPPORT_WATCH}")
+endif()
+
 if(WITH_CCACHE)
     # Use the Compiler Cache (ccache) program
     # (install with: sudo apt get ccache)
@@ -77,6 +99,7 @@ if(WITH_XC_ALL)
     set(WITH_XC_AUTOTYPE ON)
     set(WITH_XC_NETWORKING ON)
     set(WITH_XC_BROWSER ON)
+    set(WITH_XC_BROWSER_PASSKEYS ON)
     set(WITH_XC_YUBIKEY ON)
     set(WITH_XC_SSHAGENT ON)
     set(WITH_XC_KEESHARE ON)
@@ -91,9 +114,14 @@ if(NOT WITH_XC_NETWORKING AND WITH_XC_UPDATECHECK)
     set(WITH_XC_UPDATECHECK OFF)
 endif()
 
+if(UNIX AND NOT APPLE AND NOT WITH_XC_X11)
+    message(STATUS "Disabling WITH_XC_AUTOTYPE because WITH_XC_X11 is disabled")
+    set(WITH_XC_AUTOTYPE OFF)
+endif()
+
 set(KEEPASSXC_VERSION_MAJOR "2")
 set(KEEPASSXC_VERSION_MINOR "7")
-set(KEEPASSXC_VERSION_PATCH "1")
+set(KEEPASSXC_VERSION_PATCH "7")
 set(KEEPASSXC_VERSION "${KEEPASSXC_VERSION_MAJOR}.${KEEPASSXC_VERSION_MINOR}.${KEEPASSXC_VERSION_PATCH}")
 set(OVERRIDE_VERSION "" CACHE STRING "Override the KeePassXC Version for Snapshot builds")
 
@@ -177,6 +205,16 @@ if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.14.0")
     check_pie_supported()
 endif()
 
+# Find Botan early since the version affects subsequent compiler options
+find_package(Botan REQUIRED)
+if(BOTAN_VERSION VERSION_GREATER_EQUAL "3.0.0")
+    set(WITH_XC_BOTAN3 TRUE)
+elseif(BOTAN_VERSION VERSION_LESS "2.11.0")
+    # Check for minimum Botan version
+    message(FATAL_ERROR "Botan 2.11.0 or higher is required")   
+endif()
+include_directories(SYSTEM ${BOTAN_INCLUDE_DIR})
+
 # Create position independent code for shared libraries and executables
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 
@@ -272,6 +310,10 @@ if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
     check_add_gcc_compiler_flag("-Wshadow-compatible-local")
     check_add_gcc_compiler_flag("-Wshadow-local")
     add_gcc_compiler_flags("-Werror")
+    # This is needed since compiling aginst Botan3 requires compiling against C++20
+    if(WITH_XC_BOTAN3)
+        add_gcc_compiler_cxxflags("-Wno-error=deprecated-enum-enum-conversion -Wno-error=deprecated")
+    endif()
 endif()
 
 if (NOT HAIKU)
@@ -310,14 +352,18 @@ check_add_gcc_compiler_flag("-Wcast-align")
 
 if(UNIX AND NOT APPLE)
     check_add_gcc_compiler_flag("-Qunused-arguments")
-    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--no-add-needed -Wl,--as-needed -Wl,--no-undefined")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--as-needed -Wl,--no-undefined")
     set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,relro,-z,now -pie")
-    set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,--no-add-needed -Wl,--as-needed")
+    set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,--as-needed")
     set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,-z,relro,-z,now")
 endif()
 
 set(CMAKE_C_STANDARD 99)
-set(CMAKE_CXX_STANDARD 17)
+if(WITH_XC_BOTAN3)
+    set(CMAKE_CXX_STANDARD 20)
+else()
+    set(CMAKE_CXX_STANDARD 17)
+endif()
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 
 check_cxx_compiler_flag("-fsized-deallocation" CXX_HAS_fsized_deallocation)
@@ -447,17 +493,20 @@ include(CLangFormat)
 
 set(QT_COMPONENTS Core Network Concurrent Gui Svg Widgets Test LinguistTools)
 if(UNIX AND NOT APPLE)
-    find_package(Qt5 COMPONENTS ${QT_COMPONENTS} DBus X11Extras REQUIRED)
+    if(WITH_XC_X11)
+        list(APPEND QT_COMPONENTS X11Extras)
+    endif()
+    find_package(Qt5 COMPONENTS ${QT_COMPONENTS} DBus REQUIRED)
 elseif(APPLE)
     find_package(Qt5 COMPONENTS ${QT_COMPONENTS} REQUIRED HINTS
-            /usr/local/opt/qt/lib/cmake
+            /usr/local/opt/qt@5/lib/cmake
-            /usr/local/Cellar/qt/*/lib/cmake
+            /usr/local/Cellar/qt@5/*/lib/cmake
-            /opt/homebrew/opt/qt/lib/cmake
+            /opt/homebrew/opt/qt@5/lib/cmake
             ENV PATH)
     find_package(Qt5 COMPONENTS MacExtras HINTS
-            /usr/local/opt/qt/lib/cmake
+            /usr/local/opt/qt@5/lib/cmake
-            /usr/local/Cellar/qt/*/lib/cmake
+            /usr/local/Cellar/qt@5/*/lib/cmake
-            /opt/homebrew/opt/qt/lib/cmake
+            /opt/homebrew/opt/qt@5/lib/cmake
             ENV PATH)
 else()
     find_package(Qt5 COMPONENTS ${QT_COMPONENTS} REQUIRED)
@@ -467,7 +516,17 @@ if(Qt5Core_VERSION VERSION_LESS "5.2.0")
     message(FATAL_ERROR "Qt version 5.2.0 or higher is required")
 endif()
 
+# CBOR for Passkeys requires Qt 5.12
+if(Qt5Core_VERSION VERSION_LESS "5.12.0")
+    message(STATUS "Qt version 5.12.0 or higher is required for Passkeys support")
+    set(WITH_XC_BROWSER_PASSKEYS OFF)
+endif()
+
 get_filename_component(Qt5_PREFIX ${Qt5_DIR}/../../.. REALPATH)
+if(APPLE)
+    # Add includes under Qt5 Prefix in case Qt6 is also installed
+    include_directories(SYSTEM ${Qt5_PREFIX}/include)
+endif()
 
 # Process moc automatically
 set(CMAKE_AUTOMOC ON)
@@ -496,12 +555,6 @@ endif()
 # Make sure we don't enable asserts there.
 set_property(DIRECTORY APPEND PROPERTY COMPILE_DEFINITIONS_NONE QT_NO_DEBUG)
 
-# Find Botan2
-find_package(Botan2 REQUIRED)
-if(BOTAN2_VERSION VERSION_LESS "2.11.0")
-    message(FATAL_ERROR "Botan2 2.11.0 or higher is required")
-endif()
-include_directories(SYSTEM ${BOTAN2_INCLUDE_DIR})
 # Find Argon2 -- Botan 2.18 and below does not support threaded Argon2
 find_library(ARGON2_LIBRARIES NAMES argon2)
 find_path(ARGON2_INCLUDE_DIR NAMES argon2.h PATH_SUFFIXES local/include)
@@ -514,9 +567,18 @@ if(ZLIB_VERSION_STRING VERSION_LESS "1.2.0")
 endif()
 include_directories(SYSTEM ${ZLIB_INCLUDE_DIR})
 
+# Find Minizip
+find_package(Minizip REQUIRED)
+
 if(WITH_XC_YUBIKEY)
     find_package(PCSC REQUIRED)
     include_directories(SYSTEM ${PCSC_INCLUDE_DIRS})
+
+    if(UNIX AND NOT APPLE)
+        find_library(LIBUSB_LIBRARIES NAMES usb-1.0 REQUIRED)
+        find_path(LIBUSB_INCLUDE_DIR NAMES libusb.h PATH_SUFFIXES "libusb-1.0" "libusb" REQUIRED)
+        include_directories(SYSTEM ${LIBUSB_INCLUDE_DIR})
+    endif()
 endif()
 
 if(UNIX)

COPYING

@@ -1,5 +1,5 @@
 KeePassXC - http://www.keepassxc.org/
-Copyright (C) 2016-2020 KeePassXC Team <team@keepassxc.org>
+Copyright (C) 2016-2023 KeePassXC Team <team@keepassxc.org>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -27,28 +27,24 @@ Copyright: 2010-2012, Felix Geyer <debfx@fobos.de>
            2000-2008, Tom Sato <VEF00200@nifty.ne.jp>
            2013, Laszlo Papp <lpapp@kde.org>
            2013, David Faure <faure@kde.org>
-           2016-2020, KeePassXC Team <team@keepassxc.org>
+           2016-2023, KeePassXC Team <team@keepassxc.org>
 License: GPL-2 or GPL-3
 
 Comment: The "KeePassXC Team" in every copyright notice is formed by the following people:
            - droidmonkey
            - phoerious
-           - TheZ3ro <io@thezero.org>
+           - varjolintu
+           - hifi
            - louib
-           - weslly
          Every other contributor is listed on https://github.com/keepassxreboot/keepassxc/graphs/contributors
 
 Files: cmake/CodeCoverage.cmake
 Copyright: 2012 - 2015, Lars Bilke
 License: BSD-3-clause
 
-Files: cmake/FindYubiKey.cmake
+Files: cmake/FindBotan.cmake
-Copyright: 2014 Kyle Manna <kyle@kylemanna.com>
+Copyright: none
-License: GPL-2 or GPL-3
+License: LGPL-2.1
-
-Files: cmake/FindBotan2.cmake
-Copyright: 2018 Ribose Inc.
-License: BSD-2-clause
 
 Files: cmake/GenerateProductVersion.cmake
 Copyright: 2015 halex2005 <akharlov@gmail.com>
@@ -144,10 +140,23 @@ Files: share/icons/badges/2_Expired.svg
 Copyright: 2022 KeePassXC Team <team@keepassxc.org>
 License: MIT
 
-Files: share/icons/application/scalable/actions/chevron-double-down.svg
+Files: share/icons/application/scalable/actions/application-exit.svg
+       share/icons/application/scalable/actions/attributes-copy.svg
+       share/icons/application/scalable/actions/auto-type.svg
+       share/icons/application/scalable/actions/bitwarden.svg
+       share/icons/application/scalable/actions/bugreport.svg
+       share/icons/application/scalable/actions/chevron-double-down.svg
        share/icons/application/scalable/actions/chevron-double-right.svg
+       share/icons/application/scalable/actions/clipboard-text.svg
+       share/icons/application/scalable/actions/configure.svg
+       share/icons/application/scalable/actions/csv.svg
+       share/icons/application/scalable/actions/database-change-key.svg
        share/icons/application/scalable/actions/database-lock.svg
        share/icons/application/scalable/actions/database-lock-all.svg
+       share/icons/application/scalable/actions/database-merge.svg
+       share/icons/application/scalable/actions/database-search.svg
+       share/icons/application/scalable/actions/dialog-close.svg
+       share/icons/application/scalable/actions/dialog-ok.svg
        share/icons/application/scalable/actions/document-close.svg
        share/icons/application/scalable/actions/document-edit.svg
        share/icons/application/scalable/actions/document-export.svg
@@ -159,43 +168,63 @@ Files: share/icons/application/scalable/actions/chevron-double-down.svg
        share/icons/application/scalable/actions/document-save.svg
        share/icons/application/scalable/actions/document-save-as.svg
        share/icons/application/scalable/actions/document-save-copy.svg
+       share/icons/application/scalable/actions/donate.svg
        share/icons/application/scalable/actions/edit-clear-locationbar-ltr.svg
        share/icons/application/scalable/actions/edit-clear-locationbar-rtl.svg
        share/icons/application/scalable/actions/entry-clone.svg
        share/icons/application/scalable/actions/entry-delete.svg
+       share/icons/application/scalable/actions/entry-restore.svg
        share/icons/application/scalable/actions/entry-edit.svg
        share/icons/application/scalable/actions/entry-new.svg
        share/icons/application/scalable/actions/favicon-download.svg
        share/icons/application/scalable/actions/fingerprint.svg
-       share/icons/application/scalable/actions/group-clone.svg
+       share/icons/application/scalable/actions/getting-started.svg
        share/icons/application/scalable/actions/group-delete.svg
        share/icons/application/scalable/actions/group-edit.svg
+       share/icons/application/scalable/actions/group-clone.svg
        share/icons/application/scalable/actions/group-empty-trash.svg
        share/icons/application/scalable/actions/group-new.svg
        share/icons/application/scalable/actions/hammer-wrench.svg
        share/icons/application/scalable/actions/health.svg
        share/icons/application/scalable/actions/help-about.svg
        share/icons/application/scalable/actions/lock-question.svg
+       share/icons/application/scalable/actions/keyboard-shortcuts.svg
        share/icons/application/scalable/actions/message-close.svg
        share/icons/application/scalable/actions/move-down.svg
        share/icons/application/scalable/actions/move-up.svg
+       share/icons/application/scalable/actions/object-locked.svg
+       share/icons/application/scalable/actions/object-unlocked.svg
+       share/icons/application/scalable/actions/onepassword.svg
        share/icons/application/scalable/actions/paperclip.svg
        share/icons/application/scalable/actions/password-copy.svg
+       share/icons/application/scalable/actions/passkey.svg
        share/icons/application/scalable/actions/password-generator.svg
        share/icons/application/scalable/actions/password-show-off.svg
        share/icons/application/scalable/actions/password-show-on.svg
+       share/icons/application/scalable/actions/qrcode.svg
        share/icons/application/scalable/actions/refresh.svg
        share/icons/application/scalable/actions/reports.svg
        share/icons/application/scalable/actions/reports-exclude.svg
+       share/icons/application/scalable/actions/sort-alphabetical-ascending.svg
+       share/icons/application/scalable/actions/sort-alphabetical-descending.svg
        share/icons/application/scalable/actions/statistics.svg
        share/icons/application/scalable/actions/system-help.svg
        share/icons/application/scalable/actions/system-search.svg
+       share/icons/application/scalable/actions/system-software-update.svg
        share/icons/application/scalable/actions/tag.svg
+       share/icons/application/scalable/actions/tag-multiple.svg
        share/icons/application/scalable/actions/tag-search.svg
+       share/icons/application/scalable/actions/totp.svg
+       share/icons/application/scalable/actions/totp-copy.svg
+       share/icons/application/scalable/actions/totp-copy-password.svg
+       share/icons/application/scalable/actions/totp-edit.svg
        share/icons/application/scalable/actions/trash.svg
        share/icons/application/scalable/actions/url-copy.svg
+       share/icons/application/scalable/actions/user-guide.svg
        share/icons/application/scalable/actions/username-copy.svg
        share/icons/application/scalable/actions/view-history.svg
+       share/icons/application/scalable/actions/web.svg
+       share/icons/application/scalable/actions/yubikey-refresh.svg
        share/icons/application/scalable/apps/internet-web-browser.svg
        share/icons/application/scalable/apps/keepassxc.svg
        share/icons/application/scalable/apps/keepassxc-dark.svg

INSTALL.md

@@ -6,34 +6,21 @@ For more information, see also the [_Building KeePassXC_](https://github.com/kee
 
 The [QuickStart Guide](https://keepassxc.org/docs/KeePassXC_GettingStarted.html) gets you started using KeePassXC on your Windows, macOS, or Linux computer using pre-compiled binaries from the [downloads page](https://keepassxc.org/download).
 
-Build Dependencies
+Toolchain and Build Dependencies
-==================
-
-The following tools must exist within your PATH:
-
-* make
-* cmake (>= 3.3.0)
-* g++ (>= 4.7) or clang++ (>= 6.0)
-* asciidoctor (>= 2.0)
-
-The following libraries are required:
-
-* Qt 5 (>= 5.9.5): qtbase5, qtbase5-private, libqt5svg5, qttools5, qt5-image-formats-plugins
-* botan (>= 2.12)
-* libargon2
-* zlib
-* minizip
-* readline (for completion in cli)
-* qtx11extras, libxi, and libxtst (for auto-type on X11)
-* qrencode
-* libusb-1.0, pcsc-lite (for Yubikey support on Linux)
-
-Prepare the Building Environment
 ================================
 
-* [Building Environment on Linux](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Linux)
+The following build tools must exist within your PATH:
-* [Building Environment on Windows](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows)
+
-* [Building Environment on MacOS](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-macOS)
+* cmake (>= 3.10.0)
+* make (>= 4.2) or ninja (>= 1.10)
+* g++ (>= 4.9) or clang++ (>= 6.0)
+* asciidoctor (>= 2.0)
+
+* Besides a working C++ toolchain, KeePassXC also has a number of direct build and runtime dependencies. For detailed information about how to install them, please refer to the GitHub wiki:
+
+* [Set up Build Environment on Linux](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Linux)
+* [Set up Build Environment on Windows](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows)
+* [Set up Build Environment on macOS](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-macOS)
 
 Build Steps
 ===========
@@ -57,13 +44,13 @@ To compile from source, open a **Terminal (Linux/MacOS)**, the **MSVC Tools Comm
    git pull
    ```
 
-   For a stable build, it is recommended to check out the master branch.
+   For a stable build, it is recommended to check out the `latest` tag.
 
    ```
-   git checkout master
+   git checkout latest
    ```
 
-2. Navigate to the directory where you have downloaded KeePassXC and type these commands:
+2. Navigate to the directory where you have downloaded KeePassXC and run:
 
    ```
    mkdir build
@@ -72,39 +59,36 @@ To compile from source, open a **Terminal (Linux/MacOS)**, the **MSVC Tools Comm
    make
    ```
       
-Note: These steps place the compiled KeePassXC binary inside the `./build/src/` directory.
+If you have `vcpkg` installed, add `-DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake` to the `cmake` command to automatically download and install all required build and runtime dependencies locally to your build directory before compiling KeePassXC. Using `vcpkg` is the preferred way to install dependencies on macOS and required on Windows if using the MSVC toolchain.
+
+For more detailed build instructions for each platform, please refer to the [GitHub wiki](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC).
+
+Note: These steps place the compiled KeePassXC binary inside the `./build/src/` directory (`src/KeePassXC.app/Contents/MacOS` on macOS).
 
 ## MacOS Build Notes
 
-If you installed Qt5 via Homebrew, you should be able to compile KeePassXC without any changes. If CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
+If you installed Qt5 via Homebrew and CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
 
-`-DCMAKE_PREFIX_PATH=/usr/local/opt/qt/lib/cmake`
+`-DCMAKE_PREFIX_PATH=$(brew --prefix qt5)/lib/cmake`
-
-(or whatever your Qt installation path is)
 
 When building with ASAN support on macOS, you need to use `export ASAN_OPTIONS=detect_leaks=0` before running the tests (LSAN is no supported on macOS).
 
 ## Windows Build Notes
 
-For detailed build steps see the [Windows Build Instructions](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC#windows).
-
-If you are using MSVC, you may have to specify your Vcpkg toolchain by adding the following CMake parameter: `-DCMAKE_TOOLCHAIN_FILE=C:\vcpkg\scripts\buildsystems\vcpkg.cmake`
-
 If you are using MSYS2, you have to add ```-G "MSYS Makefiles"``` at the beginning of the cmake command.
 
 CMake Configuration Options
 ==========================
 
-## Common Parameters
+## Recommended CMake Build Parameters
 
 ```
--DCMAKE_INSTALL_PREFIX=/usr/local
 -DCMAKE_VERBOSE_MAKEFILE=ON
 -DCMAKE_BUILD_TYPE=<RelWithDebInfo/Debug/Release>
 -DWITH_GUI_TESTS=ON
 ```
 
-## KeePassXC Parameters
+## Additional CMake Parameters
 
 KeePassXC comes with a variety of build options that can turn on/off features. Most notably, we allow you to build the application with all TCP/IP networking code disabled. Please note that we still require and link against Qt5's network library in order to use local named pipes on all operating systems. Each of these build options are supplied at the time of calling cmake:
 
@@ -112,6 +96,7 @@ KeePassXC comes with a variety of build options that can turn on/off features. M
 -DWITH_XC_AUTOTYPE=[ON|OFF] Enable/Disable Auto-Type (default: ON)
 -DWITH_XC_YUBIKEY=[ON|OFF] Enable/Disable YubiKey HMAC-SHA1 authentication support (default: OFF)
 -DWITH_XC_BROWSER=[ON|OFF] Enable/Disable KeePassXC-Browser extension support (default: OFF)
+-DWITH_XC_BROWSER_PASSKEYS=[ON|OFF] Enable/Disable Passkeys support for browser integration (default: OFF)
 -DWITH_XC_NETWORKING=[ON|OFF] Enable/Disable Networking support (e.g., favicon downloading) (default: OFF)
 -DWITH_XC_SSHAGENT=[ON|OFF] Enable/Disable SSHAgent support (default: OFF)
 -DWITH_XC_FDOSECRETS=[ON|OFF] (Linux Only) Enable/Disable Freedesktop.org Secrets Service support (default:OFF)

README.md

@@ -35,7 +35,7 @@ KeePassXC has numerous features for novice and power users alike. Our goal is to
 * Command line interface (keepassxc-cli)
 * Auto-Open databases
 * KeeShare shared databases (import, export, and synchronize)
-* SSH Agent
+* SSH Agent integration
 * FreeDesktop.org Secret Service (replace Gnome keyring, etc.)
 * Additional encryption choices: Twofish and ChaCha20
 

cmake/FindBotan.cmake

@@ -0,0 +1,65 @@
+# - Find botan
+# Find the botan cryptographic library
+#
+# This module defines the following variables:
+#   BOTAN_FOUND  -  True if library and include directory are found
+# If set to TRUE, the following are also defined:
+#   BOTAN_INCLUDE_DIRS  -  The directory where to find the header file
+#   BOTAN_LIBRARIES  -  Where to find the library files
+#
+# This file is in the public domain (https://github.com/vistle/vistle/blob/master/cmake/Modules/FindBOTAN.cmake)
+
+include(FindPackageHandleStandardArgs)
+
+set(BOTAN_VERSIONS botan-3 botan-2)
+set(BOTAN_NAMES botan-3 botan-2 botan)
+set(BOTAN_NAMES_DEBUG botand-3 botand-2 botand botan botan-3)
+
+find_path(
+    BOTAN_INCLUDE_DIR
+    NAMES botan/build.h
+    PATH_SUFFIXES ${BOTAN_VERSIONS}
+    DOC "The Botan include directory")
+if(BOTAN_INCLUDE_DIR)
+    file(READ "${BOTAN_INCLUDE_DIR}/botan/build.h" build)
+    string(REGEX MATCH "BOTAN_VERSION_MAJOR ([0-9]*)" _ ${build})
+    set(BOTAN_VERSION_MAJOR ${CMAKE_MATCH_1})
+    string(REGEX MATCH "BOTAN_VERSION_MINOR ([0-9]*)" _ ${build})
+    set(BOTAN_VERSION_MINOR ${CMAKE_MATCH_1})
+    string(REGEX MATCH "BOTAN_VERSION_PATCH ([0-9]*)" _ ${build})
+    set(BOTAN_VERSION_PATCH ${CMAKE_MATCH_1})
+    set(BOTAN_VERSION "${BOTAN_VERSION_MAJOR}.${BOTAN_VERSION_MINOR}.${BOTAN_VERSION_PATCH}")
+endif()
+
+find_library(
+    BOTAN_LIBRARY
+    NAMES ${BOTAN_NAMES}
+    PATH_SUFFIXES release/lib lib
+    DOC "The Botan (release) library")
+if(MSVC)
+    find_library(
+        BOTAN_LIBRARY_DEBUG
+        NAMES ${BOTAN_NAMES_DEBUG}
+        PATH_SUFFIXES debug/lib lib
+        DOC "The Botan debug library")
+    find_package_handle_standard_args(
+        Botan
+        REQUIRED_VARS BOTAN_LIBRARY BOTAN_LIBRARY_DEBUG BOTAN_INCLUDE_DIR
+        VERSION_VAR BOTAN_VERSION)
+else()
+    find_package_handle_standard_args(
+        Botan
+        REQUIRED_VARS BOTAN_LIBRARY BOTAN_INCLUDE_DIR
+        VERSION_VAR BOTAN_VERSION)
+endif()
+
+if(BOTAN_FOUND)
+    set(BOTAN_INCLUDE_DIRS ${BOTAN_INCLUDE_DIR})
+    if(MSVC)
+        set(BOTAN_LIBRARIES optimized ${BOTAN_LIBRARY} debug ${BOTAN_LIBRARY_DEBUG})
+    else()
+        set(BOTAN_LIBRARIES ${BOTAN_LIBRARY})
+    endif()
+endif()
+
+mark_as_advanced(BOTAN_INCLUDE_DIR BOTAN_LIBRARY BOTAN_LIBRARY_DEBUG)

cmake/FindBotan2.cmake

@@ -1,106 +0,0 @@
-# Copyright (c) 2018 Ribose Inc.
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-# POSSIBILITY OF SUCH DAMAGE.
-
-#.rst:
-# FindBotan2
-# -----------
-#
-# Find the botan-2 library.
-#
-# IMPORTED Targets
-# ^^^^^^^^^^^^^^^^
-#
-# This module defines :prop_tgt:`IMPORTED` targets:
-#
-# ``Botan2::Botan2``
-#   The botan-2 library, if found.
-#
-# Result variables
-# ^^^^^^^^^^^^^^^^
-#
-# This module defines the following variables:
-#
-# ::
-#
-#   BOTAN2_FOUND          - true if the headers and library were found
-#   BOTAN2_INCLUDE_DIRS   - where to find headers
-#   BOTAN2_LIBRARIES      - list of libraries to link
-#   BOTAN2_VERSION        - library version that was found, if any
-
-# find the headers
-find_path(BOTAN2_INCLUDE_DIR
-  NAMES botan/version.h
-  PATH_SUFFIXES botan-2
-)
-
-# find the library
-find_library(BOTAN2_LIBRARY NAMES botan-2 libbotan-2 botan)
-
-# determine the version
-if(BOTAN2_INCLUDE_DIR AND EXISTS "${BOTAN2_INCLUDE_DIR}/botan/build.h")
-    file(STRINGS "${BOTAN2_INCLUDE_DIR}/botan/build.h" botan2_version_str
-      REGEX "^#define[\t ]+(BOTAN_VERSION_[A-Z]+)[\t ]+[0-9]+")
-
-    string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_MAJOR[\t ]+([0-9]+).*"
-           "\\1" _botan2_version_major "${botan2_version_str}")
-    string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_MINOR[\t ]+([0-9]+).*"
-           "\\1" _botan2_version_minor "${botan2_version_str}")
-    string(REGEX REPLACE ".*#define[\t ]+BOTAN_VERSION_PATCH[\t ]+([0-9]+).*"
-           "\\1" _botan2_version_patch "${botan2_version_str}")
-    set(BOTAN2_VERSION "${_botan2_version_major}.${_botan2_version_minor}.${_botan2_version_patch}"
-                       CACHE INTERNAL "The version of Botan which was detected")
-endif()
-
-include(FindPackageHandleStandardArgs)
-find_package_handle_standard_args(Botan2
-  REQUIRED_VARS BOTAN2_LIBRARY BOTAN2_INCLUDE_DIR
-  VERSION_VAR BOTAN2_VERSION
-)
-
-if(BOTAN2_FOUND)
-  set(BOTAN2_INCLUDE_DIRS ${BOTAN2_INCLUDE_DIR} ${PC_BOTAN2_INCLUDE_DIRS})
-  set(BOTAN2_LIBRARIES ${BOTAN2_LIBRARY})
-endif()
-
-if(BOTAN2_FOUND AND NOT TARGET Botan2::Botan2)
-  # create the new library target
-  add_library(Botan2::Botan2 UNKNOWN IMPORTED)
-  # set the required include dirs for the target
-  if(BOTAN2_INCLUDE_DIRS)
-    set_target_properties(Botan2::Botan2
-      PROPERTIES
-        INTERFACE_INCLUDE_DIRECTORIES "${BOTAN2_INCLUDE_DIRS}"
-    )
-  endif()
-  # set the required libraries for the target
-  if(EXISTS "${BOTAN2_LIBRARY}")
-    set_target_properties(Botan2::Botan2
-      PROPERTIES
-        IMPORTED_LINK_INTERFACE_LANGUAGES "C"
-        IMPORTED_LOCATION "${BOTAN2_LIBRARY}"
-    )
-  endif()
-endif()
-
-mark_as_advanced(BOTAN2_INCLUDE_DIR BOTAN2_LIBRARY)

cmake/FindQREncode.cmake

@@ -15,12 +15,12 @@
 
 find_path(QRENCODE_INCLUDE_DIR NAMES qrencode.h)
 
-if (VCPKG_INSTALLED_DIR)
+if(WIN32 AND MSVC)
-    find_library(QRENCODE_LIBRARY_RELEASE qrencode)
+	find_library(QRENCODE_LIBRARY_RELEASE qrencode)
-    find_library(QRENCODE_LIBRARY_DEBUG qrencoded)
+	find_library(QRENCODE_LIBRARY_DEBUG qrencoded)
-    set(QRENCODE_LIBRARY optimized ${QRENCODE_LIBRARY_RELEASE} debug ${QRENCODE_LIBRARY_DEBUG})
+	set(QRENCODE_LIBRARY optimized ${QRENCODE_LIBRARY_RELEASE} debug ${QRENCODE_LIBRARY_DEBUG})
 else()
-    find_library(QRENCODE_LIBRARY qrencode)
+	find_library(QRENCODE_LIBRARY qrencode)
 endif()
 
 mark_as_advanced(QRENCODE_LIBRARY QRENCODE_INCLUDE_DIR)

cmake/compiler-checks/macos/control_biometry_support.mm

@@ -0,0 +1,5 @@
+#include <Security/Security.h>
+
+int main() {
+   return static_cast<int>(kSecAccessControlBiometryCurrentSet);
+}

cmake/compiler-checks/macos/control_touch_id_support.mm

@@ -0,0 +1,5 @@
+#include <Security/Security.h>
+
+int main() {
+   return static_cast<int>(kSecAccessControlTouchIDCurrentSet);
+}

cmake/compiler-checks/macos/control_watch_support.mm

@@ -0,0 +1,5 @@
+#include <Security/Security.h>
+
+int main() {
+   return static_cast<int>(kSecAccessControlWatch);
+}

docs/FuzzTest.md

@@ -19,7 +19,7 @@ Optionally, build AFL from source:
 
 ## Building KeePassXC For Fuzzing
 
-A special "instrumented build" is used that allows the fuzzer to look into the program as it executes. We place it in its own build directory so it doesn't confused with the production build.
+A special "instrumented build" is used that allows the fuzzer to look into the program as it executes. We place it in its own build directory so it doesn't get confused with the production build.
 
     $ cd your_keepassxc_source_directory
     $ mkdir buildafl

docs/UserGuide.adoc

@@ -29,6 +29,8 @@ include::topics/PasswordGenerator.adoc[tags=*]
 
 include::topics/BrowserPlugin.adoc[tags=*]
 
+include::topics/Passkeys.adoc[tags=*]
+
 include::topics/AutoType.adoc[tags=*]
 
 include::topics/KeeShare.adoc[tags=*]