Update translations

Attack - KeeShare attachments can be inferred because of attachment de-duplication.

Solution - Prevent de-duplication of normal database entry attachments with those entry attachments synchronized/associated with a KeeShare database. This is done using the KeeShare database UUID injected into the hash calculation of the attachment prior to de-dupe. The attachments themselves are not modified in any way.

--------

Attack - Side channel byte-by-byte inference due to compression de-duplication of data between a KeeShare database and it's parent.

Solution - Generate a random array between 64 and 512 bytes, convert to hex, and store in the database custom data.

--------

Attack vector assumptions:
1. Compression is enabled
2. The attacker has access to a KeeShare database actively syncing with the victim's database
3. The victim's database is unlocked and syncing
4. The attacker can see the exact size of the victim's database after saving, and syncing, the KeeShare database

Thank you to Andrés Fábrega from Cornell University for theorizing and informing us of this attack vector.

.gitignore

@@ -25,4 +25,8 @@ desktop.ini
 CMakeSettings.json
 CMakePresets.json
 .vs/
-out/
+out/
+
+# vcpkg
+vcpkg_installed*/
+

CHANGELOG.md

@@ -1,5 +1,55 @@
 # Changelog
 
+## 2.7.7 (2024-03-09)
+
+### Changes
+- Support USB Hotplug for Hardware Key interface [#10092]
+- Support 1PUX and Bitwarden import [#9815]
+- Browser: Add support for PassKeys [#8825, #9987, #10318]
+- Build System: Move to vcpkg manifest mode [#10088]
+
+### Fixes
+- Fix multiple TOTP issues [#9874]
+- Fix focus loss on save when the editor is not visible anymore [#10075]
+- Fix visual when removing entry from history [#9947]
+- Fix first entry is not selected when a search is performed [#9868]
+- Prevent scrollbars on entry drag/drop [#9747]
+- Prevent duplicate characters in "Also choose from" field of password generator  [#9803]
+- Security: Prevent byte-by-byte and attachment inference side channel attacks [#10266]
+- Browser: Fix raising Update Entry messagebox [#9853]
+- Browser: Fix bugs when returning credentials [#9136]
+- Browser: Fix crash on database open from browser [#9939]
+- Browser: Fix support for referenced URL fields [#8788]
+- MacOS: Fix crash when changing highlight/accent color [#10348]
+- MacOS: Fix TouchID appearing even though lid is closed [#10092]
+- Windows: Fix terminating KeePassXC processes with MSI installer [#9822]
+- FdoSecrets: Fix database merge crash when enabled [#10136]
+
+## 2.7.6 (2023-08-15)
+
+### Changes
+- Significant improvement to visual when drag/drop entries [#9698]
+- Automatically prompt for Quick Unlock when showing unlock dialog [#9697]
+- Improve colorful lock icon and fix file MIME icon on KDE [#9632]
+- Ability to search by entry UUID [#9571]
+- Add challenge-response support for NitroKey 3 [#9631]
+- Auto-Type: Disable entry level Auto-Type when disabled at group/entry [#9672]
+- Browser: Show warning when adding duplicate URL's to entry [#9588][#9635]
+- Browser: Improve error message when proxy cannot be found [#9385]
+
+### Fixes
+- Fix crash on exit on macOS [#9620]
+- Fix crash on search if entry doesn't have a group [#9633]
+- Fix several issues with Quick Unlock [#9697]
+- Enable save button when not auto-saving non-data changes [#9634]
+- Several UI/UX fixes [#9647]
+- Move toolbar back to top of window when disabling movement [#9699]
+- Browser: Fix closing password generator dialog with X button [#9636]
+- Browser: Fix handling of expired credentials [#9595]
+- Windows: Prevent white flicker when launching application [#9637]
+- Linux: Fix warning message about allow screencapture [#9638]
+- FdoSecrets: Fix access confirmation dialog showing even when disabled [#9690]
+
 ## 2.7.5 (2023-05-14)
 
 ### Changes

CMakeLists.txt

@@ -14,7 +14,7 @@
 #  You should have received a copy of the GNU General Public License
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-cmake_minimum_required(VERSION 3.3.0)
+cmake_minimum_required(VERSION 3.10.0)
 
 project(KeePassXC)
 set(APP_ID "org.keepassxc.${PROJECT_NAME}")
@@ -53,6 +53,7 @@ set(WITH_XC_ALL OFF CACHE BOOL "Build in all available plugins")
 option(WITH_XC_AUTOTYPE "Include Auto-Type." ON)
 option(WITH_XC_NETWORKING "Include networking code (e.g. for downloading website icons)." OFF)
 option(WITH_XC_BROWSER "Include browser integration with keepassxc-browser." OFF)
+option(WITH_XC_BROWSER_PASSKEYS "Passkeys support for browser integration." OFF)
 option(WITH_XC_YUBIKEY "Include YubiKey support." OFF)
 option(WITH_XC_SSHAGENT "Include SSH agent support." OFF)
 option(WITH_XC_KEESHARE "Sharing integration with KeeShare" OFF)
@@ -98,6 +99,7 @@ if(WITH_XC_ALL)
     set(WITH_XC_AUTOTYPE ON)
     set(WITH_XC_NETWORKING ON)
     set(WITH_XC_BROWSER ON)
+    set(WITH_XC_BROWSER_PASSKEYS ON)
     set(WITH_XC_YUBIKEY ON)
     set(WITH_XC_SSHAGENT ON)
     set(WITH_XC_KEESHARE ON)
@@ -119,7 +121,7 @@ endif()
 
 set(KEEPASSXC_VERSION_MAJOR "2")
 set(KEEPASSXC_VERSION_MINOR "7")
-set(KEEPASSXC_VERSION_PATCH "5")
+set(KEEPASSXC_VERSION_PATCH "7")
 set(KEEPASSXC_VERSION "${KEEPASSXC_VERSION_MAJOR}.${KEEPASSXC_VERSION_MINOR}.${KEEPASSXC_VERSION_PATCH}")
 set(OVERRIDE_VERSION "" CACHE STRING "Override the KeePassXC Version for Snapshot builds")
 
@@ -514,6 +516,12 @@ if(Qt5Core_VERSION VERSION_LESS "5.2.0")
     message(FATAL_ERROR "Qt version 5.2.0 or higher is required")
 endif()
 
+# CBOR for Passkeys requires Qt 5.12
+if(Qt5Core_VERSION VERSION_LESS "5.12.0")
+    message(STATUS "Qt version 5.12.0 or higher is required for Passkeys support")
+    set(WITH_XC_BROWSER_PASSKEYS OFF)
+endif()
+
 get_filename_component(Qt5_PREFIX ${Qt5_DIR}/../../.. REALPATH)
 if(APPLE)
     # Add includes under Qt5 Prefix in case Qt6 is also installed
@@ -559,9 +567,18 @@ if(ZLIB_VERSION_STRING VERSION_LESS "1.2.0")
 endif()
 include_directories(SYSTEM ${ZLIB_INCLUDE_DIR})
 
+# Find Minizip
+find_package(Minizip REQUIRED)
+
 if(WITH_XC_YUBIKEY)
     find_package(PCSC REQUIRED)
     include_directories(SYSTEM ${PCSC_INCLUDE_DIRS})
+
+    if(UNIX AND NOT APPLE)
+        find_library(LIBUSB_LIBRARIES NAMES usb-1.0 REQUIRED)
+        find_path(LIBUSB_INCLUDE_DIR NAMES libusb.h PATH_SUFFIXES "libusb-1.0" "libusb" REQUIRED)
+        include_directories(SYSTEM ${LIBUSB_INCLUDE_DIR})
+    endif()
 endif()
 
 if(UNIX)

COPYING

@@ -1,5 +1,5 @@
 KeePassXC - http://www.keepassxc.org/
-Copyright (C) 2016-2020 KeePassXC Team <team@keepassxc.org>
+Copyright (C) 2016-2023 KeePassXC Team <team@keepassxc.org>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -143,11 +143,13 @@ License: MIT
 Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/attributes-copy.svg
        share/icons/application/scalable/actions/auto-type.svg
+       share/icons/application/scalable/actions/bitwarden.svg
        share/icons/application/scalable/actions/bugreport.svg
        share/icons/application/scalable/actions/chevron-double-down.svg
        share/icons/application/scalable/actions/chevron-double-right.svg
        share/icons/application/scalable/actions/clipboard-text.svg
        share/icons/application/scalable/actions/configure.svg
+       share/icons/application/scalable/actions/csv.svg
        share/icons/application/scalable/actions/database-change-key.svg
        share/icons/application/scalable/actions/database-lock.svg
        share/icons/application/scalable/actions/database-lock-all.svg
@@ -192,8 +194,10 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/move-up.svg
        share/icons/application/scalable/actions/object-locked.svg
        share/icons/application/scalable/actions/object-unlocked.svg
+       share/icons/application/scalable/actions/onepassword.svg
        share/icons/application/scalable/actions/paperclip.svg
        share/icons/application/scalable/actions/password-copy.svg
+       share/icons/application/scalable/actions/passkey.svg
        share/icons/application/scalable/actions/password-generator.svg
        share/icons/application/scalable/actions/password-show-off.svg
        share/icons/application/scalable/actions/password-show-on.svg
@@ -220,6 +224,7 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/username-copy.svg
        share/icons/application/scalable/actions/view-history.svg
        share/icons/application/scalable/actions/web.svg
+       share/icons/application/scalable/actions/yubikey-refresh.svg
        share/icons/application/scalable/apps/internet-web-browser.svg
        share/icons/application/scalable/apps/keepassxc.svg
        share/icons/application/scalable/apps/keepassxc-dark.svg

INSTALL.md

@@ -6,34 +6,21 @@ For more information, see also the [_Building KeePassXC_](https://github.com/kee
 
 The [QuickStart Guide](https://keepassxc.org/docs/KeePassXC_GettingStarted.html) gets you started using KeePassXC on your Windows, macOS, or Linux computer using pre-compiled binaries from the [downloads page](https://keepassxc.org/download).
 
-Build Dependencies
-==================
-
-The following tools must exist within your PATH:
-
-* make
-* cmake (>= 3.3.0)
-* g++ (>= 4.7) or clang++ (>= 6.0)
-* asciidoctor (>= 2.0)
-
-The following libraries are required:
-
-* Qt 5 (>= 5.9.5): qtbase5, qtbase5-private, libqt5svg5, qttools5, qt5-image-formats-plugins
-* botan (>= 2.12)
-* libargon2
-* zlib
-* minizip
-* readline (for completion in cli)
-* qtx11extras, libxi, and libxtst (for auto-type on X11)
-* qrencode
-* libusb-1.0, pcsc-lite (for Yubikey support on Linux)
-
-Prepare the Building Environment
+Toolchain and Build Dependencies
 ================================
 
-* [Building Environment on Linux](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Linux)
-* [Building Environment on Windows](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows)
-* [Building Environment on MacOS](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-macOS)
+The following build tools must exist within your PATH:
+
+* cmake (>= 3.10.0)
+* make (>= 4.2) or ninja (>= 1.10)
+* g++ (>= 4.9) or clang++ (>= 6.0)
+* asciidoctor (>= 2.0)
+
+* Besides a working C++ toolchain, KeePassXC also has a number of direct build and runtime dependencies. For detailed information about how to install them, please refer to the GitHub wiki:
+
+* [Set up Build Environment on Linux](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Linux)
+* [Set up Build Environment on Windows](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-Windows)
+* [Set up Build Environment on macOS](https://github.com/keepassxreboot/keepassxc/wiki/Set-up-Build-Environment-on-macOS)
 
 Build Steps
 ===========
@@ -63,7 +50,7 @@ To compile from source, open a **Terminal (Linux/MacOS)**, the **MSVC Tools Comm
    git checkout latest
    ```
 
-2. Navigate to the directory where you have downloaded KeePassXC and type these commands:
+2. Navigate to the directory where you have downloaded KeePassXC and run:
 
    ```
    mkdir build
@@ -71,40 +58,37 @@ To compile from source, open a **Terminal (Linux/MacOS)**, the **MSVC Tools Comm
    cmake -DWITH_XC_ALL=ON ..
    make
    ```
+      
+If you have `vcpkg` installed, add `-DCMAKE_TOOLCHAIN_FILE=${VCPKG_ROOT}/scripts/buildsystems/vcpkg.cmake` to the `cmake` command to automatically download and install all required build and runtime dependencies locally to your build directory before compiling KeePassXC. Using `vcpkg` is the preferred way to install dependencies on macOS and required on Windows if using the MSVC toolchain.
 
-Note: These steps place the compiled KeePassXC binary inside the `./build/src/` directory.
+For more detailed build instructions for each platform, please refer to the [GitHub wiki](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC).
+
+Note: These steps place the compiled KeePassXC binary inside the `./build/src/` directory (`src/KeePassXC.app/Contents/MacOS` on macOS).
 
 ## MacOS Build Notes
 
-If you installed Qt5 via Homebrew, you should be able to compile KeePassXC without any changes. If CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
+If you installed Qt5 via Homebrew and CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
 
 `-DCMAKE_PREFIX_PATH=$(brew --prefix qt5)/lib/cmake`
 
-(or whatever your Qt installation path is)
-
 When building with ASAN support on macOS, you need to use `export ASAN_OPTIONS=detect_leaks=0` before running the tests (LSAN is no supported on macOS).
 
 ## Windows Build Notes
 
-For detailed build steps see the [Windows Build Instructions](https://github.com/keepassxreboot/keepassxc/wiki/Building-KeePassXC#windows).
-
-If you are using MSVC, you may have to specify your Vcpkg toolchain by adding the following CMake parameter: `-DCMAKE_TOOLCHAIN_FILE=C:\vcpkg\scripts\buildsystems\vcpkg.cmake`
-
 If you are using MSYS2, you have to add ```-G "MSYS Makefiles"``` at the beginning of the cmake command.
 
 CMake Configuration Options
 ==========================
 
-## Common Parameters
+## Recommended CMake Build Parameters
 
 ```
--DCMAKE_INSTALL_PREFIX=$(brew --prefix)
 -DCMAKE_VERBOSE_MAKEFILE=ON
 -DCMAKE_BUILD_TYPE=<RelWithDebInfo/Debug/Release>
 -DWITH_GUI_TESTS=ON
 ```
 
-## KeePassXC Parameters
+## Additional CMake Parameters
 
 KeePassXC comes with a variety of build options that can turn on/off features. Most notably, we allow you to build the application with all TCP/IP networking code disabled. Please note that we still require and link against Qt5's network library in order to use local named pipes on all operating systems. Each of these build options are supplied at the time of calling cmake:
 
@@ -112,6 +96,7 @@ KeePassXC comes with a variety of build options that can turn on/off features. M
 -DWITH_XC_AUTOTYPE=[ON|OFF] Enable/Disable Auto-Type (default: ON)
 -DWITH_XC_YUBIKEY=[ON|OFF] Enable/Disable YubiKey HMAC-SHA1 authentication support (default: OFF)
 -DWITH_XC_BROWSER=[ON|OFF] Enable/Disable KeePassXC-Browser extension support (default: OFF)
+-DWITH_XC_BROWSER_PASSKEYS=[ON|OFF] Enable/Disable Passkeys support for browser integration (default: OFF)
 -DWITH_XC_NETWORKING=[ON|OFF] Enable/Disable Networking support (e.g., favicon downloading) (default: OFF)
 -DWITH_XC_SSHAGENT=[ON|OFF] Enable/Disable SSHAgent support (default: OFF)
 -DWITH_XC_FDOSECRETS=[ON|OFF] (Linux Only) Enable/Disable Freedesktop.org Secrets Service support (default:OFF)

cmake/FindBotan.cmake

@@ -13,7 +13,7 @@ include(FindPackageHandleStandardArgs)
 
 set(BOTAN_VERSIONS botan-3 botan-2)
 set(BOTAN_NAMES botan-3 botan-2 botan)
-set(BOTAN_NAMES_DEBUG botand-3 botand-2 botand botan)
+set(BOTAN_NAMES_DEBUG botand-3 botand-2 botand botan botan-3)
 
 find_path(
     BOTAN_INCLUDE_DIR

cmake/FindQREncode.cmake

@@ -15,12 +15,12 @@
 
 find_path(QRENCODE_INCLUDE_DIR NAMES qrencode.h)
 
-if (VCPKG_INSTALLED_DIR)
-    find_library(QRENCODE_LIBRARY_RELEASE qrencode)
-    find_library(QRENCODE_LIBRARY_DEBUG qrencoded)
-    set(QRENCODE_LIBRARY optimized ${QRENCODE_LIBRARY_RELEASE} debug ${QRENCODE_LIBRARY_DEBUG})
+if(WIN32 AND MSVC)
+	find_library(QRENCODE_LIBRARY_RELEASE qrencode)
+	find_library(QRENCODE_LIBRARY_DEBUG qrencoded)
+	set(QRENCODE_LIBRARY optimized ${QRENCODE_LIBRARY_RELEASE} debug ${QRENCODE_LIBRARY_DEBUG})
 else()
-    find_library(QRENCODE_LIBRARY qrencode)
+	find_library(QRENCODE_LIBRARY qrencode)
 endif()
 
 mark_as_advanced(QRENCODE_LIBRARY QRENCODE_INCLUDE_DIR)

docs/UserGuide.adoc

@@ -29,6 +29,8 @@ include::topics/PasswordGenerator.adoc[tags=*]
 
 include::topics/BrowserPlugin.adoc[tags=*]
 
+include::topics/Passkeys.adoc[tags=*]
+
 include::topics/AutoType.adoc[tags=*]
 
 include::topics/KeeShare.adoc[tags=*]

docs/topics/DatabaseOperations.adoc

@@ -61,7 +61,7 @@ image::database_view.png[]
 === Quick Unlock
 On Windows and macOS, subject to hardware availability, your credentials can be securely stored to enable subsequent unlocking of your database through biometric authentication. This is enabled by default on Windows using _Windows Hello_ and on macOS using _Touch ID or Apple Watch_ services. You can disable this feature in the Application Settings under the Security section.
 
-NOTE: On Windows you will be prompted to authenticate to Windows Hello on the initial database unlock. This is required to access the hardware certificate store that encrypts your credentials.
+NOTE: On Windows, you will be prompted to authenticate to Windows Hello after unlocking your database with full credentials. This is required to setup Quick Unlock. If you cancel this prompt then Quick Unlock will not be enabled and your database will continue to unlock.
 
 .Windows Hello example
 image::quick_unlock_windows_hello.png[]

docs/topics/Disclaimers.adoc

@@ -21,12 +21,3 @@ Special, incidental or consequential damages arising out of the use or inability
 Limited to loss of data or data being rendered inaccurate or losses sustained by you or third parties or a failure of
 The program to operate with any other programs), even if such holder or other party has been advised of the possibility
 Of such damages.
-
-== Contact Us
-
-We are committed to continually improve KeePassXC through customer experience and your feedback is important to us.
-Please send us your feedback or comments to team@keepassxc.org.
-To report issues, visit: https://github.com/keepassxreboot/keepassxc.
-
-Thank You, +
-Team KeePassXC

docs/topics/ImportExport.adoc

@@ -6,53 +6,66 @@ include::.sharedheader[]
 == Importing External Databases
 KeePassXC allows you to import external databases from the following options:
 
-* Comma-Separated Values (CSV) file
-* 1Password OPVault
-* KeePass 1 Database
+* Comma Separated Values (.csv)
+* 1Password Export (.1pux)
+* 1Password Vault (.opvault)
+* Bitwarden (.json)
+* KeePass 1 Database (.kdb)
+
+To import any of these files, start KeePassXC and either click the `Import File` button on the welcome screen or use the menu Database > Import... to launch the Import Wizard.
+
+.Import Wizard
+image::import_wizard.png[]
+
+For each of the import options, you will be prompted to select the file to import and then provide credentials to unlock the file, if necessary. You can then choose to import the file into a new database or into an existing database that is already unlocked in KeePassXC.
 
 === Importing CSV File
-If you have been saving your URLs, usernames, passwords, and so on in a CSV file, you can migrate all that information from the CSV file to KeePassXC and start using KeePassXC to maintain your data.
+WARNING: A CSV file is unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
 
-To open the CSV file, perform the following steps:
+1. Follow the steps above and click `Continue`. The CSV import wizard will appear.
 
-1. Open KeePassXC.
-
-2. Click Import from CSV button on the welcome screen or use the menu Database > Import > CSV File.
-
-3. Navigate to the location of the your CSV file on your computer and open the file. The new database wizard will appear. Follow the steps of creating a new database in Chapter 1.
-
-4. After saving your new database file, the CSV import wizard will appear. On this dialog you can choose the various options for properly importing the data. You may need to select the _First line has field names_ checkbox before starting. Analyze the output in the preview at the bottom to determine the correct import settings.
+2. On this dialog you can choose the various options for properly importing the data. Analyze the output in the preview at the bottom to determine the correct import settings. You may need to re-map the column associations to match the data in your CSV file.
 +
 .CSV Import Wizard
 image::csv_import.png[]
 
-Your CSV file gets imported to KeePassXC and the data is converted to the KeePassXC format for further usage and maintenance. The new database file is saved on to your computer with the default `.kdbx` extension.
+3. Click `Done` to complete the import. If you chose to create a new database, the New Database dialog will appear. Otherwise your entries will be nested under the group you chose for the existing database.
+
+=== Importing 1Password Export
+WARNING: A 1Password Export file is unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
+
+1. Open the Import Wizard as shown above. Select the 1Password Export option.
+
+2. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
 === Importing 1Password OPVault
+NOTE: You must have 1Password version 7 or 8 to export your data to an OPVault. If you are using a newer version of 1Password, you should use the 1Password Export (1PUX) format instead.
+
 Save your 1Password Vault locally to create an OPVault directory. Please see 1Password instructions on how to do this. Once an OPVault is created, perform the following steps:
 
-1. Open KeePassXC.
+1. Open the Import Wizard as shown above. Select the 1Password Vault option.
 
-2. Use the menu Database > Import > 1Password Vault. Select the OPVault to import.
+2. Enter the password for your vault and click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
-3. Enter the password for your OPVault to unlock and import.
+=== Importing Bitwarden
+WARNING: A Bitwarden Export file may be unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
+
+1. Open the Import Wizard as shown above. Select the Bitwarden option.
+
+2. Optionally provide a password to decrypt the Bitwarden export file. You should only need to do this if you have chosen the encrypted json export option within Bitwarden.
+
+3. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
 === Importing KeePass 1 Database
-KeePass 1 database is an older format of the database created using legacy version of KeePass. KeePassXC lets your import this older format of the database and you can seamlessly start using this database in your new KeePassXC application.
+KeePass 1 database is an older format of the database created using a legacy version of KeePass. KeePassXC lets your import this older format of the database and you can seamlessly start using this database in your new KeePassXC application.
 
 To import a KeePass 1 database file in KeePassXC, perform the following steps:
 
-1. Open KeePassXC.
+1. Open the Import Wizard as shown above. Select the KeePass1 Database option.
 
-2. Click Import from KeePass 1 button on the welcome screen or use the menu Database > Import > KeePass 1 Database.
+2. Enter the password for your database and optionally provide a key file if it was configured for your KeePass1 database.
 
-3. Navigate to the location of the your legacy KeePass 1 database file (`.kdb`) on your computer and open the file. You are prompted for the password and the Key file for your `.kdb` file.
-
-4. Enter the password for your old `.kdb` file and click *OK*. You are prompted for provide a name for the new database format that KeePassXC recognizes.
-
-5. Provide a name for the new database format, select a folder on your computer to save the file, and click Save.
-
-6. The data from the `.kdb` file gets imported and converted to the new format, which is compatible with KeePassXC. You can now start using the new database file (`.kdbx`) in KeePassXC.
+3. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
 == Exporting Databases
 KeePassXC supports multiple ways to export your database for transfer to another program or to print out and archive.

docs/topics/Passkeys.adoc

@@ -0,0 +1,104 @@
+= KeePassXC – Passkeys
+include::.sharedheader[]
+:imagesdir: ../images
+
+// tag::content[]
+== Passkeys
+
+Passkeys are a secure way for replacing passwords that is supported by all major browser vendors and an increasing number of websites. For more information on what Passkeys are and how they work, please go to the FIDO Alliance's documentation: https://fidoalliance.org/passkeys/
+
+=== Enabling Passkey Support
+
+KeePassXC supports Passkeys directly through the Browser Integration service. Passkeys are only supported with the use of the KeePassXC Browser Extension and a properly connected database. To enable Passkey support on the extension, you must check the _Enable Passkeys_ option in the extension settings page.
+
+.Enable Passkey Support in the KeePassXC Browser Extension
+image::passkeys_enable_from_extension.png[,75%]
+
+Optionally, you can disable falling back to the built-in Passkey support from your browser and operating system. If left enabled, the extension will show the default Passkey dialogs if KeePassXC cannot handle the request or the request is canceled.
+
+=== Create a New Passkey
+
+Creating a new Passkey and authenticating with it is a simple process. This workflow will be demonstrated using GitHub as an example site. Please note that GitHub allows two use cases for Passkeys, one for 2FA only and the other for replacement of username and password entirely. We will be configuring the latter use case in this example.
+
+After navigating to GitHub's _Settings_ -> _Password and authentication_, there is a separate section shown for Passkeys.
+
+.GitHub's Passkey Registration
+image::passkeys_github_1.png[]
+
+After clicking the _Add a Passkey_ button, the user is redirected to another page showing the actual configuration option.
+
+.Configure Passwordless Authentication
+image::passkeys_github_2.png[,50%]
+
+Clicking the _Add Passkey_ button now shows the following popup dialog for the user, asking confirmation for creating a new Passkey.
+
+.Passkey Registration Confirmation Dialog
+image::passkeys_register_dialog.png[,30%]
+
+After the Passkey has been registered, a new entry is created to the database under _KeePassXC-Browser Passwords_ with _(Passkey)_  added to the entry title. The entry holds additional attributes that are used for authenticating the Passkey.
+
+After registration, GitHub will ask a name for the Passkey. This is only relevant for the server.
+
+.GitHub's Passkey Nickname
+image::passkeys_github_3.png[,50%]
+
+Now the Passkey should be shown on the GitHub's Passkey section.
+
+.Registered Passkeys on GitHub
+image::passkeys_github_4.png[]
+
+=== Login With a Passkey
+
+The Passkey created in the previous section can now be used to login to GitHub. Instead of logging in with normal credentials, choose _Sign in with a passkey_ at the bottom of GitHub's login page.
+
+.GitHub's login page with a Passkey option
+image::passkeys_github_5.png[,50%]
+
+After clicking the button, KeePassXC-Browser detects the Passkeys authentication and KeePassXC shows the following dialog for confirmation.
+
+.Passkey authentication confirmation dialog
+image::passkeys_authentication_dialog.png[,50%]
+
+After confirmation user is now authenticated and logged into GitHub.
+
+// tag::advanced[]
+=== Advanced Usage
+
+==== Multiple Passkeys for a Site
+
+Multiple Passkeys can be created for a single site. When registering a new Passkey with a different username, KeePassXC shows an option to register a new Passkey or update the previous one. Updating a Passkey will override the existing entry, so this option should be only used when actually needed.
+
+.Passkey authentication confirmation dialog
+image::passkeys_update_dialog.png[,50%]
+
+==== Exporting Passkeys
+
+All Passkeys in a database can be viewed and accessed from the _Database_ -> _Passkeys..._ menu item. The page shows both _Import_ and _Export_ buttons for Passkeys.
+
+.Passkeys Overview
+image::passkeys_all_passkeys.png[]
+
+After selecting one or more entries, the following dialog is shown. One or multiple Passkeys can be selected for export from the previously selected list of entries.
+
+.Passkeys Export Dialog
+image::passkeys_export_dialog.png[,65%]
+
+Exported Passkeys are stored in JSON format using the `.passkey` file extension. The file includes all relevant information for importing a Passkey to another database or saving a backup. 
+
+WARNING: The exported Passkey file is unencrypted and should be securely stored.
+
+==== Importing Passkeys
+
+An exported Passkey can be imported directly to a database or to an entry. To import directly, use the _Database_ -> _Import Passkey_ menu item.
+When right-clicking an entry, a separate menu item for _Import Passkey_ is shown. This is useful if user wants to import a previously created Passkey to an existing entry.
+
+.Import Passkey to an Entry
+image::passkeys_import_passkey_to_entry.png[,50%]
+
+After selecting a Passkey file to import, a separate dialog is shown where you can select which database, group, and entry to target. By default, the group is set to _Imported Passkeys_. The default action is to create a new entry that contains the imported Passkey.
+
+.Passkey import dialog
+image::passkeys_import_dialog.png[,65%]
+
+// end::advanced[]
+// end::content[]

docs/topics/UserInterface.adoc

@@ -86,7 +86,7 @@ Additionally, the following environment variables may be useful when running the
 |KPXC_CONFIG                    | Override default path to roaming configuration file
 |KPXC_CONFIG_LOCAL              | Override default path to local configuration file
 |KPXC_INITIAL_DIR               | Override initial location picking for databases
-|SSH_AUTH_SOCKET                | Path of the unix file socket that the agent uses for communication with other processes (SSH Agent)
+|SSH_AUTH_SOCK                  | Path of the unix file socket that the agent uses for communication with other processes (SSH Agent)
 |QT_SCALE_FACTOR [numeric]      | Defines a global scale factor for the whole application, including point-sized fonts.
 |QT_SCREEN_SCALE_FACTORS [list] | Specifies scale factors for each screen. See https://doc.qt.io/qt-5/highdpi.html#high-dpi-support-in-qt
 |QT_SCALE_FACTOR_ROUNDING_POLICY | Control device pixel ratio rounding to the nearest integer. See https://doc.qt.io/qt-5/highdpi.html#high-dpi-support-in-qt