Revert Auto-Type change that caused race condition

* Fixes #12723

.clang-format

@@ -54,6 +54,7 @@ IncludeCategories:
 IndentCaseLabels: false
 IndentWidth:     4
 IndentWrappedFunctionNames: false
+InsertNewlineAtEOF: true
 KeepEmptyLinesAtTheStartOfBlocks: true
 MacroBlockBegin: ''
 MacroBlockEnd:   ''
@@ -81,7 +82,7 @@ SpacesInContainerLiterals: true
 SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
-Standard:        Cpp11
+Standard:        c++17
 TabWidth:        4
 UseTab:          Never
 ...

.gitattributes

@@ -1,3 +1,14 @@
+# Github-linguist language hints
+*.h linguist-language=C++
+*.cpp linguist-language=C++
+
+# Line endings harmony
+* text=auto eol=lf
+
+# binary files
+*.ai binary
+
+# Export
 src/version.h.cmake export-subst
 .gitattributes export-ignore
 .gitignore export-ignore
@@ -7,13 +18,3 @@ src/version.h.cmake export-subst
 snapcraft.yaml export-ignore
 make_release.sh export-ignore
 AppImage-Recipe.sh export-ignore
-
-# github-linguist language hints
-*.h linguist-language=C++
-*.cpp linguist-language=C++
-
-# binary files
-*.ai binary
-
-# Line endings harmony
-* text=auto

.github/CONTRIBUTING.md

@@ -15,6 +15,7 @@ These are just guidelines, not rules. Use your best judgment, and feel free to p
   * [Bug reports](#bug-reports)
   * [Discuss with the team](#discuss-with-the-team)
   * [Your first code contribution](#your-first-code-contribution)
+  * [Using AI](#using-ai)
   * [Pull requests](#pull-requests)
   * [Translations](#translations)
 
@@ -38,7 +39,7 @@ We will accept contributions of good code that we can use from anyone.
  - “contributions”: This means just about anything you wish to contribute to the project, as long as it is good code we can use. The easier you make it for us to accept your contribution, the happier we are, but if it’s good enough, we will do a reasonable amount of work to use it.
  - “of good code”: This means that we will accept contributions that work well and efficiently, that fit in with the goals of the project, that match the project’s coding style, and that do not impose an undue maintenance workload on us going forward. This does not mean just program code, either, but documentation and artistic works as appropriate to the project.
  - “that we can use”: This means that your contribution must be given freely and irrevocably, that you must have the right to contribute it for our unrestricted use, and that your contribution is made under a license that is compatible with the license the project has chosen and that permits us to include, distribute, and modify your work without restriction.
- - “from anyone”: This means exactly that. We don’t care about anything but your code. We don’t care about your race, religion, national origin, biological gender, perceived gender, sexual orientation, lifestyle, political viewpoint, or anything extraneous like that. We will neither reject your contribution nor grant it preferential treatment on any basis except the code itself. We do, however, reserve the right to tell you to go away if you behave too obnoxiously toward us.
+ - “from anyone”: This means exactly that. We don’t care about anything but your code. We don’t care about your race, religion, national origin, biological gender, perceived gender, sexual orientation, lifestyle, political viewpoint, or anything extraneous like that. We will neither reject your contribution nor grant it preferential treatment on any basis except the code itself. We do, however, reserve the right to limit your access to our community if you violate our [Code of Conduct](../CODE-OF-CONDUCT.md).
 
 #### If Your Contribution Is Rejected
 
@@ -74,6 +75,10 @@ Unsure where to begin contributing to KeePassXC? You can start by looking throug
 
 Both issue lists are sorted by total number of comments. While not perfect, looking at the number of comments on an issue can give a general idea of how much an impact a given change will have.
 
+### Using AI
+
+Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If you use Generative AI to write the vast majority of your submission (e.g., agent-based or vibe coding) then you **must document your use of AI** in your pull request. Please include the service you used and/or model that generated the code. All code submissions go through a rigorous review process regardless of the development workflow used.
+
 ### Pull requests
 
 Along with our desire to hear your feedback and suggestions, we're also interested in accepting direct assistance in the form of code.
@@ -82,7 +87,7 @@ All pull requests must comply with the above requirements and with the [stylegui
 
 ### Translations
 
-Translations are managed on [Transifex](https://www.transifex.com/keepassxc/keepassxc/) which offers a web interface.
+Translations are managed on [Transifex](https://explore.transifex.com/keepassxc/keepassxc/) which offers a web interface.
 Please join an existing language team or request a new one if there is none.
 
 If you open a Pull Request with new strings that require translations, you will need to run the following:

.github/ISSUE_TEMPLATE/bug-report.md

@@ -1,39 +0,0 @@
----
-name: Bug Report
-about: provide information about a problem
-title: 
-labels: bug
-assignees: ''
-
----
-## Overview
-[TIP]:  # ( DO NOT include screenshots of your actual database! )
-[NOTE]: # ( Give a BRIEF summary about your problem )
-
-
-## Steps to Reproduce
-[NOTE]: # ( Provide a simple set of steps to reproduce this bug. )
-1. 
-2. 
-3. 
-
-## Expected Behavior
-[NOTE]: # ( Tell us what you expected to happen )
-
-
-## Actual Behavior
-[NOTE]: # ( Tell us what actually happens )
-
-
-## Context
-[NOTE]: # ( Give us any additional information you may have. )
-
-
-[NOTE]: # ( Paste debug info from Help → About here )
-KeePassXC - VERSION
-Revision: REVISION
-
-[NOTE]: # ( Pick choices based on your environment )
-Operating System: Windows/Linux/macOS
-Desktop Env: Gnome/KDE/XFCE/Mate/Cinnamon
-Windowing System: X11/Wayland

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,83 @@
+name: Bug Report
+description: Provide information about a problem you are experiencing.
+type: Bug
+
+body:
+  - type: checkboxes
+    attributes:
+      label: Have you searched for an existing issue?
+      description: |
+        Use the issue search box to see if one already exists for the bug you encountered.
+        Also take a moment to review our pinned issues.
+      options:
+      - label: Yes, I tried searching and reviewed the pinned issues
+        required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Brief Summary
+      description: |
+        Provide an overview of the problem, include any information that may help us triage this issue.
+        Provide screenshots if possible, but do NOT show sensitive data (use View -> Allow Screen Capture).
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: Provide a simple set of steps to reproduce this bug.
+      placeholder: |
+        1. 
+        2. 
+        3. 
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected_vs_actual
+    attributes:
+      label: Expected Versus Actual Behavior
+      description: Tell us what you expected to happen and what actually happened.
+
+  - type: textarea
+    id: debug_info
+    attributes:
+      label: KeePassXC Debug Information
+      placeholder: "Paste the output of: Help -> About -> Debug Info"
+      render: Text
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      description: Select your operating system.
+      options:
+        - Windows
+        - Linux
+        - macOS
+        - Other (BSD, Haiku, etc)
+
+  - type: dropdown
+    id: desktop_env
+    attributes:
+      label: Linux Desktop Environment
+      description: If on Linux, please select your desktop environment.
+      options:
+        - Gnome
+        - KDE
+        - XFCE
+        - Mate / Cinnamon
+        - Sway
+        - i3
+        - Other
+
+  - type: dropdown
+    id: window_system
+    attributes:
+      label: Linux Windowing System
+      description: If on Linux, please select your windowing system.
+      options:
+        - X11
+        - Wayland

.github/ISSUE_TEMPLATE/feature-request.md

@@ -1,19 +0,0 @@
----
-name: Feature Request
-about: tell us about a new feature you want
-title: 
-labels: new feature
-assignees: ''
-
----
-## Summary
-[TIP]:  # ( DO NOT include screenshots of your actual database! )
-[NOTE]: # ( Provide a brief overview of what the new feature is all about )
-
-
-## Examples
-[NOTE]: # ( Show us a picture or mock-up of your proposal )
-
-
-## Context
-[NOTE]: # ( Why does this feature matter to you? What unique circumstances do you have? )

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,34 @@
+name: Feature Request
+description: Tell us about a new feature you want.
+type: Feature
+
+body:
+  - type: checkboxes
+    attributes:
+      label: Have you searched for an existing feature request?
+      description: Use the issue search box to see if one already exists for the feature you want.
+      options:
+      - label: Yes, I tried searching
+        required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Brief Summary
+      description: |
+        Provide an overview of the feature you are interested in adding.
+        Provide screenshots if possible, but do NOT show sensitive data (use View -> Allow Screen Capture).
+    validations:
+      required: true
+
+  - type: textarea
+    id: example
+    attributes:
+      label: Example
+      description: Provide an example of how this feature would be used.
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Context
+      description: Why does this feature matter to you? What unique circumstances do you have?

.github/ISSUE_TEMPLATE/prerelease_bug_report.yml

@@ -0,0 +1,85 @@
+name: Pre-Release Bug Report
+description: Report an issue with pre-release code (e.g. snapshot builds).
+type: Bug
+labels: PRE-RELEASE BUG
+assignees: droidmonkey
+
+body:
+  - type: checkboxes
+    attributes:
+      label: Have you searched for an existing issue?
+      description: |
+        Use the issue search box to see if one already exists for the bug you encountered.
+        Also take a moment to review our pinned issues.
+      options:
+      - label: Yes, I tried searching and reviewed the pinned issues
+        required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Brief Summary
+      description: |
+        Provide an overview of the problem, include any information that may help us triage this issue.
+        Provide screenshots if possible, but do NOT show sensitive data (use View -> Allow Screen Capture).
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: Provide a simple set of steps to reproduce this bug.
+      placeholder: |
+        1. 
+        2. 
+        3. 
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected_vs_actual
+    attributes:
+      label: Expected Versus Actual Behavior
+      description: Tell us what you expected to happen and what actually happened.
+
+  - type: textarea
+    id: debug_info
+    attributes:
+      label: KeePassXC Debug Information
+      placeholder: "Paste the output of: Help -> About -> Debug Info"
+      render: Text
+
+  - type: dropdown
+    id: os
+    attributes:
+      label: Operating System
+      description: Select your operating system.
+      options:
+        - Windows
+        - Linux
+        - macOS
+        - Other (BSD, Haiku, etc)
+
+  - type: dropdown
+    id: desktop_env
+    attributes:
+      label: Linux Desktop Environment
+      description: If on Linux, please select your desktop environment.
+      options:
+        - Gnome
+        - KDE
+        - XFCE
+        - Mate / Cinnamon
+        - Sway
+        - i3
+        - Other
+
+  - type: dropdown
+    id: window_system
+    attributes:
+      label: Linux Windowing System
+      description: If on Linux, please select your windowing system.
+      options:
+        - X11
+        - Wayland

.github/ISSUE_TEMPLATE/release-preview-bug-report.md

@@ -1,39 +0,0 @@
----
-name: Release Preview Bug report
-about: report a bug with a release preview (e.g., 2.6.0-beta1)
-title: 
-labels: PRE-RELEASE BUG
-assignees: droidmonkey
-
----
-## Overview
-[TIP]:  # ( DO NOT include screenshots of your actual database! )
-[NOTE]: # ( Give a BRIEF summary about your problem )
-
-
-## Steps to Reproduce
-[NOTE]: # ( Provide a simple set of steps to reproduce this bug. )
-1. 
-2. 
-3. 
-
-## Expected Behavior
-[NOTE]: # ( Tell us what you expected to happen )
-
-
-## Actual Behavior
-[NOTE]: # ( Tell us what actually happens )
-
-
-## Context
-[NOTE]: # ( Give us any additional information you may have. )
-
-
-[NOTE]: # ( Paste debug info from Help → About here )
-KeePassXC - VERSION
-Revision: REVISION
-
-[NOTE]: # ( Pick choices based on your environment )
-Operating System: Windows/Linux/macOS
-Desktop Env: Gnome/KDE/XFCE/Mate/Cinnamon
-Windowing System: X11/Wayland

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,15 +1,16 @@
-[NOTE]: # ( Describe your changes in detail, why is this change required? )
-[NOTE]: # ( Explain large or complex code modifications. )
-[NOTE]: # ( If it fixes an open issue, please add "Fixes #XXX" )
+[NOTE]: # ( Describe your changes in detail. Explain large or complex code modifications. )
+[NOTE]: # ( If it fixes an open issue, please add "Fixes #XXX". )
+[NOTE]: # ( If you used Generative AI to write the majority of your code, you must state this. )
 
 
 ## Screenshots
-[TIP]:  # ( Do not include screenshots of your actual database! )
+[NOTE]: # ( Do not include screenshots of your actual database! )
+[TIP]:  # ( Use View -> Allow Screen Capture )
 
 
 ## Testing strategy
 [NOTE]: # ( Please describe in detail how you tested your changes. )
-[TIP]:  # ( We expect new code to be covered by unit tests and documented with doc blocks! )
+[TIP]:  # ( We expect new code to be covered by unit tests and include helpful comments. )
 
 
 ## Type of change

.github/copilot-instructions.md

@@ -0,0 +1,44 @@
+This repository is a C++ (C++20) Qt-based password manager. The important domain concepts are
+Database, Group, and Entry (KDBX format). Key areas to know before making changes are below.
+
+Quick reference (common commands)
+- Configure + build (preferred: CMake presets)
+	- Windows (PowerShell): `cmake --preset x64-debug`
+	- Build: `cmake --build --preset x64-debug` or `cmake --build . -j <n>` from the build dir
+- Formatting (required before commits):
+	- `cmake --build . --target format` (runs clang-format)
+- Tests:
+	- Run all tests: `ctest -j <n>` from build dir
+	- Run single test (verbose): `ctest -R <Test Name> -V`
+- Translations & i18n (release tooling):
+	- Update translation sources: `python ./release-tool.py i18n lupdate`
+
+Big-picture architecture (where to look)
+- src/core: core data model (Database, Groups, Entries). Example: `src/core/Database.h`
+- src/format: KDBX readers/writers and import/export logic.  (sensitive - avoid casual edits)
+- src/crypto: cryptographic primitives and key derivation. (sensitive - avoid casual edits)
+- src/gui: Qt UI layers, widgets, main window and app lifecycle (entry: `src/main.cpp`, `src/gui/MainWindow.cpp`)
+- src/sshagent, src/browser, src/fdosecrets, src/quickunlock: integration adapters for external systems
+- tests/ and tests/gui/: QTest-based unit and GUI tests (follow existing test patterns)
+
+Project-specific conventions & patterns
+- Language/features: C++20, heavy use of Qt signal/slot idioms and QObject-derived classes.
+- Build: use provided CMake commands to configure and build the project successfully.
+- Formatting: a CMake target (`format`) runs clang-format — run it before committing.
+- Translations: translation files are generated/updated via the release tool — run it before committing.
+- UI files: .ui changes are non-trivial; prefer proposing .ui edits rather than committing wholesale .ui changes unless very simple.
+- Sensitive areas: `src/crypto` and `src/format` contain security-sensitive logic — avoid refactors that change algorithms without expert review.
+
+Concrete examples (where to copy patterns)
+- Signal connections: see `src/keeshare/ShareObserver.cpp` (connect to Database signals like `groupAdded` / `modified`).
+- Opening/locking DBs: `src/gui/DatabaseTabWidget.*` and `src/gui/DatabaseWidget.*` show typical lifecycle and `emitActiveDatabaseChanged()`.
+- Format/validation: use `src/format/KdbxReader.cpp` and `Kdbx4Reader.cpp` for error handling patterns when reading DBs.
+
+Rules for automated agents
+- Do not change cryptographic or serialization logic unless the change is narrowly scoped and you run tests.
+- When adding features, create relevant unit tests within existing files in `tests/`.
+- Always run code formatting, translation update, and tests before submitting commits.
+- All tests related to your change must pass before committing.
+- Reference real files in PR descriptions (e.g., "changed src/core/Database.h and tests/TestDatabase.cpp").
+
+If anything above is unclear or you want more detail about a specific area (build matrix, CI, or release-tool commands), tell me which part and I will expand.

.github/workflows/codeql.yml

@@ -0,0 +1,70 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches:
+      - 'develop'
+      - 'release/**'
+  pull_request:
+  schedule:
+    - cron: '5 16 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - if: matrix.language == 'cpp'
+      name: Install dependencies
+      run: |
+        sudo apt update
+        sudo apt install build-essential cmake g++
+        sudo apt install qtbase5-dev qtbase5-private-dev qttools5-dev qttools5-dev-tools libqt5svg5-dev libargon2-dev libkeyutils-dev libminizip-dev libbotan-2-dev libqrencode-dev zlib1g-dev asciidoctor libreadline-dev libpcsclite-dev libusb-1.0-0-dev libxi-dev libxtst-dev  libqt5x11extras5-dev
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-and-quality
+
+    - if: matrix.language == 'cpp'
+      name: Build C++
+      run: |
+        mkdir build && cd build
+        cmake -DWITH_XC_ALL=ON -DWITH_TESTS=OFF ..
+        make -j $(nproc)
+
+    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - if: matrix.language != 'cpp'
+      name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/copilot-setup-steps.yml

@@ -0,0 +1,29 @@
+name: "Copilot Setup Steps"
+
+# Setup the environment for Copilot agents to run in
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+
+jobs:
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Needed to clone the repository
+    permissions:
+      contents: read
+
+    # Install dependencies
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt install --no-install-recommends build-essential cmake g++ ninja-build qtbase5-dev qtbase5-private-dev qttools5-dev qttools5-dev-tools libqt5svg5-dev libargon2-dev libkeyutils-dev libminizip-dev libbotan-2-dev libqrencode-dev zlib1g-dev asciidoctor libreadline-dev libpcsclite-dev libusb-1.0-0-dev libxi-dev libxtst-dev libqt5x11extras5-dev

.gitignore

@@ -24,8 +24,10 @@ desktop.ini
 # MSVC Files
 CMakeSettings.json
 CMakePresets.json
+CMakeUserPresets.json
 .vs/
 out/
+\.clangd
 
 # vcpkg
 vcpkg_installed*/

.tx/config

@@ -2,16 +2,20 @@
 host = https://app.transifex.com
 
 [o:keepassxc:p:keepassxc:r:share-translations-keepassxc-en-ts--develop]
-file_filter   = share/translations/keepassxc_<lang>.ts
-source_file   = share/translations/keepassxc_en.ts
-type          = QT
-minimum_perc  = 0
-resource_name = keepassxc_en.ts (develop)
+file_filter            = share/translations/keepassxc_<lang>.ts
+source_file            = share/translations/keepassxc_en.ts
+type                   = QT
+minimum_perc           = 60
+resource_name          = keepassxc_en.ts (develop)
+replace_edited_strings = false
+keep_translations      = false
 
 [o:keepassxc:p:keepassxc:r:share-translations-keepassxc-en-ts--master]
-file_filter   = share/translations/keepassxc_<lang>.ts
-source_file   = share/translations/keepassxc_en.ts
-type          = QT
-minimum_perc  = 0
-resource_name = keepassxc_en.ts (2.7.x stable)
+file_filter            = share/translations/keepassxc_<lang>.ts
+source_file            = share/translations/keepassxc_en.ts
+type                   = QT
+minimum_perc           = 60
+resource_name          = keepassxc_en.ts (2.7.x stable)
+replace_edited_strings = false
+keep_translations      = false
 

CHANGELOG.md

@@ -1,5 +1,168 @@
 # Changelog
 
+## 2.8.0 (Pending)
+* Placeholder for future release notes
+
+## 2.7.11 (2025-11-23)
+
+### Changes
+- Add image, HTML, Markdown preview, and text editing support to inline attachment viewer [#12085, #12244, #12654]
+- Add database merge confirmation dialog [#10173]
+- Add option to auto-generate a password for new entries [#12593]
+- Add support for group sync in KeeShare [#11593]
+- Add {UUID} placeholder for use in references [#12511]
+- Add “Wait for Enter” search option [#12263]
+- Add keyboard shortcut to “Jump to Group” from search results [#12225]
+- Add predefined search for TOTP entries [#12199]
+- Add confirmation when closing database via ESC key [#11963]
+- Add support for escaping placeholder expressions [#11904]
+- Reduce tab indentation width in notes fields [#11919]
+- Cap default Argon2 parallelism when creating a new database [#11853]
+- Database lock after inactivity now enabled by default and set to 900 seconds [#12689, #12609]
+- Copying TOTP now opens setup dialog if none is configured for entry [#12584]
+- Make double click action configurable [#12322]
+- Remove unused “Last Accessed” from GUI [#12602]
+- Auto-Type: Add more granular confirmation settings [#12370]
+- Auto-Type: Add URL typing preset and add copy options to menu [#12341]
+- Browser: Do not allow sites automatically if entry added from browser extension [#12413]
+- Browser: Add options to restrict exposed groups [#9852, #12119]
+- Bitwarden Import: Add support for timestamps and password history [#12588]
+- macOS: Add Liquid Glass icon [#12642]
+- macOS: Remove theme-based menubar icon toggle [#12685]
+- macOS: Add Window and Help menus [#12357]
+- Windows: Add option to add KeePassXC to PATH during installation [#12171]
+
+### Fixes
+- Fix window geometry not being restored properly when KeePassXC starts in tray [#12683]
+- Fix potential database truncation when using direct write save method with YubiKeys [#11841]
+- Fix issue with database backup saving [#11874]
+- Fix UI lockups during startup with multiple tabs [#12053]
+- Fix keyboard shortcuts when menubar is hidden [#12431]
+- Fix clipboard being cleared on exit even if no password was copied [#12603]
+- Fix single-instance detection when username contains invalid filename characters [#12559]
+- Fix “Search Wait for Enter” setting not being save [#12614]
+- Fix hotkey accelerators not being escaped properly on database tabs [#12630]
+- Fix confusing error if user cancels out of key file edit dialog [#12639]
+- Fix issues with saved searches and “Press Enter to Search” option [#12314]
+- Fix URL wildcard matching [#12257]
+- Fix TOTP visibility on unlock and settings change [#12220]
+- Fix KeeShare entries with reference attributes not updating [#11809]
+- Fix sort order not being maintained when toggling filters in database reports [#11849]
+- Fix several UI font and layout issues [#11967,  #12102]
+- Prevent mouse wheel scroll on edit username field [#12398]
+- Improve base translation consistency [#12432]
+- Improve inactivity timer [#12246]
+- Documentation improvements [#12373, #12506]
+- Browser: Fix ordering of clientDataJSON in Passkey response object [#12120]
+- Browser: Fix URL matching for additional URLs [#12196]
+- Browser: Fix group settings inheritance [#12368]
+- Browser: Allow read-only native messaging config files [#12236]
+- Browser: Optimise entry iteration in browser access control dialog [#11817]
+- Browser: Fix “Do not ask permission for HTTP Basic Auth” option [#11871]
+- Browser: Fix native messaging path for Tor Browser launcher on Linux [#12005]
+- Auto-Type: Fix empty window behaviour [#12622]
+- Auto-Type: Take delays into account when typing TOTP [#12691]
+- SSH Agent: Fix out-of-memory crash with malformed SSH keys [#12606]
+- CSV Import: Fix modified and creation time import [#12379]
+- CSV Import: Fix duplication of root groups on import [#12240]
+- Proton Pass Import: Fix email addresses not being imported when no username set [#11888]
+- macOS: Fix secure input getting stuck [#11928]
+- Windows: Prevent launch as SYSTEM user from MSI installer [#12705]
+- Windows: Remove broken check for MSVC Redistributable from MSI installer [#11950]
+- Linux: Fix startup delay due to StartupNotify setting in desktop file [#12306]
+- Linux: Fix memory initialisation when --pw-stdin is used with a pipe [#12050]
+
+## 2.7.10 (2025-03-02)
+
+### Changes
+* Allow adjusting application font size [#11567]
+* Add Proton Pass importer [#11197]
+* Support KeePass2 TOTP settings [#11229]
+* Add New/Preview Entry Attachments dialog and functionality [#11637, #11699, #11650]
+* Add database name, color, and icon options for unlock view [#10819, #11725]
+* Show entry background color as column [#6798]
+* Use icons for password strength [#9844]
+* Add "Group Full Path" column in entry view [#10278]
+* Passphrase "MIXED case" Type [#11255]
+* Allow deleting extension plugin data from Browser Statistics [#11218]
+* Add --minimized option to keepassxc [#11693]
+* Implement T-CONV and T-REPLACE-RX entry placeholders [#11453]
+* Option to disable opening browser when URL field double-clicked [#11332]
+* Overhaul action states and add icons to toolbar [#11047]
+* Show character count in password generator dialog [#10940]
+* Add ability to expire entries from context menu [#8731]
+* Add copy field shortcuts to Auto-Type select dialog [#11518]
+* Passkeys: Add support for selecting group on creation [#11260]
+* Browser: Refactor Access Control Dialog [#9607]
+* Browser: Add support for URL wildcards and exact URL [#9835, #11752]
+* Browser: Allow groups to restrict by browser integration key [#9852]
+* CLI: Add `-d` dry-run shortcut to merge command [#11192]
+* CLI: HTML export [#11590]
+* macOS: Add option to disable database lock when switching user [#9707]
+* SSH Agent: Implement feature to clear all identities [#10649]
+
+### Fixes
+* Major enhancements to documentation [#11745, #10875]
+* Various UI and style fixes [#11535, #11672, #11511, #11445, #11426, #11273, #11455, #11321, #11594, #11539, #11351, #11354, #10748, #11602, #11303, #11291, #10091, #9417]
+* Various improvements to tags [#11676, #11652, #11625]
+* Reset splitter sizes on database unlock [#11014]
+* Remember sort order in Auto-type popup dialog [#9508]
+* Fix database password clearing when modifying key file / hardware key [#11001]
+* Fix issues with reloading and handling of externally modified db file [#10612]
+* Support passkeys with Bitwarden import [#11401]
+* Fix various quirks with CSV import [#11787]
+* Show Auto-Type select dialog even if window title is empty [#11603]
+* Refactor hardware key code to avoid deadlock [#11703, #10872]
+* Show a clear error if hardware key is found slots are not configured [#11609]
+* Fix signal/slot disconnect when opening import wizard [#11039]
+* Fix setting window title as modified [#11542]
+* Fix assert hit when viewing entry history [#11413]
+* Fix multiple crashes on Linux [#11513]
+* Fix backup file path time substitution [#10834]
+* Prevent long-running threads from deadlocking the program with only 1 CPU [#11155]
+* Hide the menubar when menus lose focus (if toggled off) [#11355, #11605]
+* CLI: Restore the original codepage on windows [#11470]
+* Passkeys: Various fixes [#10934, #10951]
+* Browser: Fix cancel with database unlock dialog [#11435]
+* Browser: Resolve references in Access Confirm dialog [#11055]
+* SSH Agent: Add timeout to streams to prevent deadlock [#11290]
+* macOS: Replace legacy code for screen recording permissions [#11428]
+* macOS: Implement Secure Input Mode [#11623]
+* macOS: Fix showing ambigious name in settings [#11373]
+* macOS: Fix copy-to-clipboard shortcut in entry preview widget [#10966]
+* Linux: Prevent multiple lock requests [#11306]
+* Snap: Prevent need for snap helper script to configure browser extension [#10924]
+* Windows: Detect outdated VC Redist with MSI installer [#11469]
+* Windows: Additional exclusion fields for clipboard [#11521]
+
+## 2.7.9 (2024-06-19)
+
+### Changes
+* Passkeys: Ability to easily remove a passkey from an entry [#10777]
+* Snap: Use new desktop portal for native messaging integration [#10906]
+
+### Fixes
+* Improve entry placeholder/reference feature [#10846]
+* Improve CSV importing when title field isn't specified [#10843]
+* Improve encrypted Bitwarden importing [#10800]
+* Improve database settings UX [#10821]
+* Improve handling of clipboard actions from entry preview [#10810]
+* Improve group/entry view resize behavior and set sensible defaults [#10641]
+* Passkeys: Fix incorrect username fill [#10874]
+* Passkeys: Return additional data to the extension [#10857]
+* Fix password clear timer inconsistency on unlock view [#10708]
+* Fix portability check [#10760]
+* Fix page overflow on HTML exports [#10735]
+* Fix broken builds when using system provided zxcvbn [#10717]
+* Fix copy password button when text is selected [#10853]
+* Fix tab ordering on application settings pages [#10907]
+* SSH Agent: Fix broken decrypt button [#10638]
+* Windows: Fix ALT Auto-Type modifier [#10795]
+* Windows: Fix wrong DACL memory size allocation [#10712]
+* macOS: Fix monospace font sizing [#10739]
+* Flatpak: Fix configuration settings off-by-one error [#10688]
+* BSD: Fix compiling with libusb implementation [#10736]
+
 ## 2.7.8 (2024-05-05)
 
 ### Changes
@@ -147,7 +310,7 @@
 - Browser: Revert code causing connection problems [#8665]
 - Browser: Fix socket file symbolic link on Linux [#8656]
 - Flatpak: Fix launching browser proxy service [#8680]
-- SSH Agent: Fix paegent support on Windows [#8619]
+- SSH Agent: Fix pageant support on Windows [#8619]
 
 ## 2.7.3 (2022-10-23)
 
@@ -1030,7 +1193,7 @@
 - Compare window title to entry URLs #556
 - Implemented inline error messages #162
 - Ignore group expansion and other minor changes when making database "dirty" #464
-- Updated license and copyright information on souce files #632
+- Updated license and copyright information on source files #632
 - Added contributors list to about dialog #629
 
 ## 2.1.4 (2017-04-09)

CMakeLists.txt

@@ -60,10 +60,17 @@ option(WITH_XC_KEESHARE "Sharing integration with KeeShare" OFF)
 option(WITH_XC_UPDATECHECK "Include automatic update checks; disable for controlled distributions" ON)
 if(UNIX AND NOT APPLE)
     option(WITH_XC_FDOSECRETS "Implement freedesktop.org Secret Storage Spec server side API." OFF)
+    set(WITH_XC_X11 ON CACHE BOOL "Enable building with X11 deps")
 endif()
 option(WITH_XC_DOCS "Enable building of documentation" ON)
-
-set(WITH_XC_X11 ON CACHE BOOL "Enable building with X11 deps")
+if(WIN32 OR APPLE)
+    set(WITH_XC_CODESIGN_IDENTITY "" CACHE STRING "Certificate to be used for signing binaries before packaging.")
+    if(WIN32)
+        set(WITH_XC_CODESIGN_TIMESTAMP_URL "http://timestamp.sectigo.com" CACHE STRING "Timestamp URL for Windows code signing.")
+    elseif(APPLE)
+        set(WITH_XC_NOTARY_KEYCHAIN_PROFILE "" CACHE STRING "Keychain profile name for stored Apple notarization credentials.")
+    endif()
+endif()
 
 if(APPLE)
     # Perform the platform checks before applying the stricter compiler flags.
@@ -120,8 +127,8 @@ if(UNIX AND NOT APPLE AND NOT WITH_XC_X11)
 endif()
 
 set(KEEPASSXC_VERSION_MAJOR "2")
-set(KEEPASSXC_VERSION_MINOR "7")
-set(KEEPASSXC_VERSION_PATCH "8")
+set(KEEPASSXC_VERSION_MINOR "8")
+set(KEEPASSXC_VERSION_PATCH "0")
 set(KEEPASSXC_VERSION "${KEEPASSXC_VERSION_MAJOR}.${KEEPASSXC_VERSION_MINOR}.${KEEPASSXC_VERSION_PATCH}")
 set(OVERRIDE_VERSION "" CACHE STRING "Override the KeePassXC Version for Snapshot builds")
 
@@ -222,17 +229,23 @@ if("${CMAKE_SIZEOF_VOID_P}" EQUAL "4")
     set(IS_32BIT TRUE)
 endif()
 
-set(CLANG_COMPILER_ID_REGEX "^(Apple)?[Cc]lang$")
-if("${CMAKE_C_COMPILER}" MATCHES "clang$"
-        OR "${CMAKE_EXTRA_GENERATOR_C_SYSTEM_DEFINED_MACROS}" MATCHES "__clang__"
-        OR "${CMAKE_C_COMPILER_ID}" MATCHES ${CLANG_COMPILER_ID_REGEX})
-    set(CMAKE_COMPILER_IS_CLANG 1)
-endif()
+if("${CMAKE_CXX_COMPILER}" MATCHES "clang-cl(.exe)?$")
+    # clang-cl uses MSVC compiler flags
+    set(MSVC 1)
+    set(CMAKE_COMPILER_IS_CLANG_MSVC 1)
+else()
+    set(CLANG_COMPILER_ID_REGEX "^(Apple)?[Cc]lang$")
+    if("${CMAKE_C_COMPILER}" MATCHES "clang$"
+            OR "${CMAKE_EXTRA_GENERATOR_C_SYSTEM_DEFINED_MACROS}" MATCHES "__clang__"
+            OR "${CMAKE_C_COMPILER_ID}" MATCHES ${CLANG_COMPILER_ID_REGEX})
+        set(CMAKE_COMPILER_IS_CLANG 1)
+    endif()
 
-if("${CMAKE_CXX_COMPILER}" MATCHES "clang(\\+\\+)?$"
-        OR "${CMAKE_EXTRA_GENERATOR_CXX_SYSTEM_DEFINED_MACROS}" MATCHES "__clang__"
-        OR "${CMAKE_CXX_COMPILER_ID}" MATCHES ${CLANG_COMPILER_ID_REGEX})
-    set(CMAKE_COMPILER_IS_CLANGXX 1)
+    if("${CMAKE_CXX_COMPILER}" MATCHES "clang(\\+\\+)?$"
+            OR "${CMAKE_EXTRA_GENERATOR_CXX_SYSTEM_DEFINED_MACROS}" MATCHES "__clang__"
+            OR "${CMAKE_CXX_COMPILER_ID}" MATCHES ${CLANG_COMPILER_ID_REGEX})
+        set(CMAKE_COMPILER_IS_CLANGXX 1)
+    endif()
 endif()
 
 macro(add_gcc_compiler_cxxflags FLAGS)
@@ -310,7 +323,7 @@ if(CMAKE_BUILD_TYPE_LOWER STREQUAL "debug")
     check_add_gcc_compiler_flag("-Wshadow-compatible-local")
     check_add_gcc_compiler_flag("-Wshadow-local")
     add_gcc_compiler_flags("-Werror")
-    # This is needed since compiling aginst Botan3 requires compiling against C++20
+    # This is needed since compiling against Botan3 requires compiling against C++20
     if(WITH_XC_BOTAN3)
         add_gcc_compiler_cxxflags("-Wno-error=deprecated-enum-enum-conversion -Wno-error=deprecated")
     endif()
@@ -396,10 +409,14 @@ if (MSVC)
         message(FATAL_ERROR "Only Microsoft Visual Studio 17 and newer are supported!")
     endif()
     add_compile_options(/permissive- /utf-8)
-    if(IS_DEBUG_BUILD)
-        add_compile_options(/Zf)
-        if(MSVC_TOOLSET_VERSION GREATER 141)
-            add_compile_definitions(/fsanitize=address)
+    # Clang-cl does not support /MP, /Zf, or /fsanitize=address
+    if (NOT CMAKE_COMPILER_IS_CLANG_MSVC)
+        add_compile_options(/MP)
+        if(IS_DEBUG_BUILD)
+            add_compile_options(/Zf)
+            if(MSVC_TOOLSET_VERSION GREATER 141)
+                add_compile_definitions(/fsanitize=address)
+            endif()
         endif()
     endif()
 endif()
@@ -415,7 +432,7 @@ if(WIN32)
             # By default MSVC enables NXCOMPAT
             add_compile_options(/guard:cf)
             add_link_options(/DYNAMICBASE /HIGHENTROPYVA /GUARD:CF)
-        else(MINGW)
+        else()
             set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--nxcompat -Wl,--dynamicbase")
             set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} -Wl,--nxcompat -Wl,--dynamicbase")
             # Enable high entropy ASLR for 64-bit builds
@@ -425,6 +442,8 @@ if(WIN32)
             endif()
         endif()
     endif()
+    # Determine if we can link against the Windows SDK, used for Windows Hello support
+    find_library(WINSDK WindowsApp.lib)
 endif()
 
 if(APPLE AND WITH_APP_BUNDLE OR WIN32)
@@ -467,7 +486,7 @@ if(WITH_COVERAGE)
     append_coverage_compiler_flags()
 
     set(COVERAGE_EXCLUDES
-            "'^(.+/)?(thirdparty|zxcvbn)/.*'"
+            "'^(.+/)?thirdparty/.*'"
             "'^(.+/)?main\\.cpp$$'"
             "'^(.+/)?cli/keepassxc-cli\\.cpp$$'"
             "'^(.+/)?proxy/keepassxc-proxy\\.cpp$$'")
@@ -512,14 +531,8 @@ else()
     find_package(Qt5 COMPONENTS ${QT_COMPONENTS} REQUIRED)
 endif()
 
-if(Qt5Core_VERSION VERSION_LESS "5.2.0")
-    message(FATAL_ERROR "Qt version 5.2.0 or higher is required")
-endif()
-
-# CBOR for Passkeys requires Qt 5.12
 if(Qt5Core_VERSION VERSION_LESS "5.12.0")
-    message(STATUS "Qt version 5.12.0 or higher is required for Passkeys support")
-    set(WITH_XC_BROWSER_PASSKEYS OFF)
+    message(FATAL_ERROR "Qt version 5.12.0 or higher is required")
 endif()
 
 get_filename_component(Qt5_PREFIX ${Qt5_DIR}/../../.. REALPATH)
@@ -613,6 +626,12 @@ endif()
 
 include_directories(SYSTEM ${ZLIB_INCLUDE_DIR})
 
+find_library(ZXCVBN_LIBRARIES zxcvbn)
+if(NOT ZXCVBN_LIBRARIES)
+    add_subdirectory(src/thirdparty/zxcvbn)
+    set(ZXCVBN_LIBRARIES zxcvbn)
+endif(NOT ZXCVBN_LIBRARIES)
+
 add_subdirectory(src)
 add_subdirectory(share)
 if(WITH_TESTS)

COPYING

@@ -137,10 +137,12 @@ Files: share/icons/badges/2_Expired.svg
        share/icons/database/C46_Help.svg
        share/icons/database/C53_Apply.svg
        share/icons/database/C61_Services.svg
+       share/icons/application/scalable/actions/proton.svg
 Copyright: 2022 KeePassXC Team <team@keepassxc.org>
 License: MIT
 
 Files: share/icons/application/scalable/actions/application-exit.svg
+       share/icons/application/scalable/actions/arrow-collapse-down.svg
        share/icons/application/scalable/actions/attributes-copy.svg
        share/icons/application/scalable/actions/auto-type.svg
        share/icons/application/scalable/actions/bitwarden.svg
@@ -155,6 +157,7 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/database-lock-all.svg
        share/icons/application/scalable/actions/database-merge.svg
        share/icons/application/scalable/actions/database-search.svg
+       share/icons/application/scalable/actions/database-settings.svg
        share/icons/application/scalable/actions/dialog-close.svg
        share/icons/application/scalable/actions/dialog-ok.svg
        share/icons/application/scalable/actions/document-close.svg
@@ -175,6 +178,7 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/entry-delete.svg
        share/icons/application/scalable/actions/entry-restore.svg
        share/icons/application/scalable/actions/entry-edit.svg
+       share/icons/application/scalable/actions/entry-expire.svg
        share/icons/application/scalable/actions/entry-new.svg
        share/icons/application/scalable/actions/favicon-download.svg
        share/icons/application/scalable/actions/fingerprint.svg
@@ -203,6 +207,7 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/password-show-on.svg
        share/icons/application/scalable/actions/qrcode.svg
        share/icons/application/scalable/actions/refresh.svg
+       share/icons/application/scalable/actions/remote-sync.svg
        share/icons/application/scalable/actions/reports.svg
        share/icons/application/scalable/actions/reports-exclude.svg
        share/icons/application/scalable/actions/sort-alphabetical-ascending.svg
@@ -218,6 +223,7 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/actions/totp-copy.svg
        share/icons/application/scalable/actions/totp-copy-password.svg
        share/icons/application/scalable/actions/totp-edit.svg
+       share/icons/application/scalable/actions/totp-invalid.svg
        share/icons/application/scalable/actions/trash.svg
        share/icons/application/scalable/actions/url-copy.svg
        share/icons/application/scalable/actions/user-guide.svg
@@ -239,9 +245,12 @@ Files: share/icons/application/scalable/actions/application-exit.svg
        share/icons/application/scalable/status/dialog-information.svg
        share/icons/application/scalable/status/dialog-warning.svg
        share/icons/application/scalable/status/security-high.svg
-Copyright: 2019 Austin Andrews <http://templarian.com/>
-License: SIL OPEN FONT LICENSE Version 1.1
-Comment: Taken from Material Design icon set (https://github.com/templarian/MaterialDesign/)
+       share/icons/application/scalable/actions/lock-open-alert.svg
+       share/icons/application/scalable/actions/lock-open.svg
+       share/icons/application/scalable/actions/lock.svg
+Copyright: 2023 Pictogrammers <https://pictogrammers.com/docs/general/about/>
+License: Apache-2.0
+Comment: Some icons are modified to fit KeePassXC design (https://pictogrammers.com/library/mdi/)
 
 Files: src/streams/qtiocompressor.*
        src/streams/QtIOCompressor
@@ -249,7 +258,7 @@ Files: src/streams/qtiocompressor.*
 Copyright: 2009-2012, Nokia Corporation and/or its subsidiary(-ies)
 License: LGPL-2.1 or GPL-3
 
-Files: src/zxcvbn/zxcvbn.*
+Files: src/thirdparty/zxcvbn/zxcvbn.*
 Copyright: 2015-2017, Tony Evans
 License: MIT
 

INSTALL.md

@@ -67,9 +67,9 @@ Note: These steps place the compiled KeePassXC binary inside the `./build/src/`
 
 ## MacOS Build Notes
 
-If you installed Qt5 via Homebrew and CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
+If you installed Qt@5 via Homebrew and CMake fails to find your Qt installation, you can specify it manually by adding the following parameter:
 
-`-DCMAKE_PREFIX_PATH=$(brew --prefix qt5)/lib/cmake`
+`-DCMAKE_PREFIX_PATH=$(brew --prefix qt@5)/lib/cmake`
 
 When building with ASAN support on macOS, you need to use `export ASAN_OPTIONS=detect_leaks=0` before running the tests (LSAN is no supported on macOS).
 

README.md

@@ -1,4 +1,5 @@
-# <img src="https://keepassxc.org/images/keepassxc-logo.svg" width="40" height="40"/> KeePassXC
+# <img src="https://keepassxc.org/assets/img/keepassxc.svg" width="40" height="40"/> KeePassXC
+[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/6326/badge)](https://bestpractices.coreinfrastructure.org/projects/6326)
 [![TeamCity Build Status](https://ci.keepassxc.org/app/rest/builds/buildType:\(project:KeepassXC\)/statusIcon)](https://ci.keepassxc.org/?guest=1)
 [![codecov](https://codecov.io/gh/keepassxreboot/keepassxc/branch/develop/graph/badge.svg)](https://codecov.io/gh/keepassxreboot/keepassxc)
 [![GitHub release](https://img.shields.io/github/release/keepassxreboot/keepassxc)](https://github.com/keepassxreboot/keepassxc/releases/)
@@ -21,12 +22,13 @@ KeePassXC has numerous features for novice and power users alike. Our goal is to
 * Password generator
 * Auto-Type passwords into applications
 * Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser
+* Support for passkeys using the browser integration
 * Entry icon download
-* Import databases from CSV, 1Password, and KeePass1 formats
+* Import databases from CSV, 1Password, Bitwarden, Proton Pass, and KeePass1 formats
 
 ### Advanced
 * Database reports (password health, HIBP, and statistics)
-* Database export to CSV and HTML formats
+* Database export to CSV, XML, and HTML formats
 * TOTP storage and generation
 * Field references between entries
 * File attachments and custom attributes
@@ -54,6 +56,10 @@ You may directly contribute your own code by submitting a pull request. Please r
 
 Contributors are required to adhere to the project's [Code of Conduct](CODE-OF-CONDUCT.md).
 
+## Generative AI
+
+Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If the majority of a code submission is made using Generative AI (e.g., agent-based or vibe coding) then **we will document that in the pull request.** All code submissions go through a rigorous review process regardless of the development workflow or submitter.
+
 ## License
 
 KeePassXC code is licensed under GPL-2 or GPL-3. Additional licensing for third-party files is detailed in [COPYING](./COPYING).

SECURITY.md

@@ -0,0 +1,46 @@
+### Reporting Security Issues
+
+The KeePassXC team takes security vulnerabilities very seriously and appreciates your responsible disclosure efforts. We will make every effort to acknowledge your contributions and handle them promptly.
+
+To report a security issue, please use one of the following methods:
+
+- **GitHub Security Advisory:** Use the ["Report a Vulnerability"](https://github.com/keepassxreboot/keepassxc/security/advisories/new) tab on our GitHub repository.
+- **Private Matrix Message:** Contact any of the following KeePassXC team members privately (also encrypted):
+  - [@droidmonkey_kpxc](https://matrix.to/#/@droidmonkey_kpxc:matrix.org)
+  - [@varjolintu](https://matrix.to/#/@varjolintu:matrix.org)
+  - [@phoerious](https://matrix.to/#/@phoerious:matrix.org)
+- **Send an Email:** Send your report to team@keepassxc.org. We recommend encrypting the email if possible.
+
+Please **DO NOT** use public channels (e.g., GitHub issues, Matrix chat channels) for initial reporting of bona fide security vulnerabilities.
+
+Once you report a security issue, our team will respond with the next steps. After our initial reply, we will keep you informed of the progress towards a fix and full announcement. We may ask for additional information or guidance during this process. If we disagree that your report constitutes a genuine security vulnerability, we will inform you and close the report. Your report may be turned into an issue for further tracking.
+
+If you discover vulnerabilities in third-party modules used by KeePassXC, please report them to the maintainers of the respective modules. If the vulnerability impacts KeePassXC directly, we encourage you to notify us using the above methods. We will validate if the vulnerability is exploitable from KeePassXC code; please note that not all vulnerabilities are actually exploitable and do not constitute an immediate concern for the KeePassXC application.
+
+### Example Security Vulnerabilities
+
+When reporting, please ensure the issue falls under what can be considered a genuine security vulnerability for KeePassXC. Some examples include:
+
+- Unauthorized access to sensitive user data (e.g., passwords).
+- Remote code execution or escalation of privileges.
+- Bypassing authentication or encryption mechanisms.
+- Broken or improperly implemented encryption methods. 
+
+### Counter Examples
+
+The following issues are **not** considered security vulnerabilities:
+
+- Bugs caused by locally modifying the application (e.g., injecting DLLs, altering code).
+- Crashes or misbehavior resulting from normal use (report this as a normal issue).
+- Vulnerabilities found in third-party modules (should be reported to the module’s maintainers).
+  
+### CVE Reporting Policy
+
+Please **DO NOT** submit a report to a Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) before confirming the security vulnerability with the KeePassXC team. If we do not respond to your report within 30 days, this restriction no longer applies.
+
+
+### Other Communication
+
+For other inquiries (e.g., developer questions, user questions), please use the public channels on Matrix:
+- **User's Channel:** [#keepassxc:mozilla.org](https://matrix.to/#/#keepassxc:mozilla.org)
+- **Developer's Channel:** [#keepassxc-dev:mozilla.org](https://matrix.to/#/#keepassxc-dev:mozilla.org)

cmake/CLangFormat.cmake

@@ -16,9 +16,8 @@
 set(EXCLUDED_DIRS
         # third-party directories
         src/thirdparty
-        src/zxcvbn
         # objective-c directories
-        src/touchid
+        src/quickunlock/touchid
         src/autotype/mac
         src/gui/osutils/macutils)
 

cmake/FindBotan.cmake

@@ -36,7 +36,7 @@ find_library(
     NAMES ${BOTAN_NAMES}
     PATH_SUFFIXES release/lib lib
     DOC "The Botan (release) library")
-if(MSVC)
+if(WIN32 AND NOT MINGW)
     find_library(
         BOTAN_LIBRARY_DEBUG
         NAMES ${BOTAN_NAMES_DEBUG}
@@ -55,7 +55,7 @@ endif()
 
 if(BOTAN_FOUND)
     set(BOTAN_INCLUDE_DIRS ${BOTAN_INCLUDE_DIR})
-    if(MSVC)
+    if(WIN32 AND NOT MINGW)
         set(BOTAN_LIBRARIES optimized ${BOTAN_LIBRARY} debug ${BOTAN_LIBRARY_DEBUG})
     else()
         set(BOTAN_LIBRARIES ${BOTAN_LIBRARY})

cmake/FindPCSC.cmake

@@ -21,16 +21,38 @@ endif()
 
 if(NOT PCSC_FOUND)
    # Search for PC/SC headers on Mac and Windows
+
+   # Additional search paths for Windows if not running in Visual Studio environment
+   if (WIN32) 
+      # Resolve the ambiguity of using two names for one architecture
+      if(CMAKE_SYSTEM_PROCESSOR STREQUAL "AMD64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "x64")
+         set(ARCH_DIR "x64")
+      else()
+         set(ARCH_DIR "${CMAKE_SYSTEM_PROCESSOR}")
+      endif()
+
+      # Locate Windows SDK Paths
+      if (CMAKE_WINDOWS_KITS_10_DIR)
+         set(WINSDKROOTC_INCLUDE "${CMAKE_WINDOWS_KITS_10_DIR}/Include/${CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION}/um")
+         set(WINSDKROOTC_LIB     "${CMAKE_WINDOWS_KITS_10_DIR}/LIB/${CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION}/um/${ARCH_DIR}")
+      else()
+         set(WINSDKROOTC_INCLUDE "$ENV{ProgramFiles\(x86\)}/Windows Kits/10/Include/${CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION}/um")
+         set(WINSDKROOTC_LIB     "$ENV{ProgramFiles\(x86\)}/Windows Kits/10/LIB/${CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION}/um/${ARCH_DIR}")
+      endif()
+   endif()
+
    find_path(PCSC_INCLUDE_DIRS winscard.h
       HINTS
-      ${CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES}
-      /usr/include/PCSC
+         ${CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES}
+         /usr/include/PCSC
+         ${WINSDKROOTC_INCLUDE}
       PATH_SUFFIXES PCSC)
 
    # MAC library is PCSC, Windows library is WinSCard
    find_library(PCSC_LIBRARIES NAMES pcsclite libpcsclite WinSCard PCSC
       HINTS   
-      ${CMAKE_C_IMPLICIT_LINK_DIRECTORIES})
+         ${CMAKE_C_IMPLICIT_LINK_DIRECTORIES}
+         ${WINSDKROOTC_LIB})
 endif()
 
 include(FindPackageHandleStandardArgs)

cmake/FindQREncode.cmake

@@ -15,7 +15,7 @@
 
 find_path(QRENCODE_INCLUDE_DIR NAMES qrencode.h)
 
-if(WIN32 AND MSVC)
+if(WIN32 AND NOT MINGW)
 	find_library(QRENCODE_LIBRARY_RELEASE qrencode)
 	find_library(QRENCODE_LIBRARY_DEBUG qrencoded)
 	set(QRENCODE_LIBRARY optimized ${QRENCODE_LIBRARY_RELEASE} debug ${QRENCODE_LIBRARY_DEBUG})

cmake/KPXCMacDeployHelpers.cmake

@@ -1,5 +1,5 @@
 # Running macdeployqt on a POST_BUILD copied binaries is pointless when using CPack because
-# the copied binaries will be overriden by the corresponding install(TARGETS) commands.
+# the copied binaries will be overridden by the corresponding install(TARGETS) commands.
 # That's why we run macdeployqt using install(CODE) on the already installed binaries.
 # The precondition is that all install(TARGETS) calls have to be called before this function is
 # called.

cmake/MacOSCodesign.cmake.in

@@ -0,0 +1,101 @@
+#  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 2 or (at your option)
+#  version 3 of the License.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+# CPACK_PACKAGE_FILES is set only during POST_BUILD
+if(NOT CPACK_PACKAGE_FILES)     # PRE_BUILD: Sign binaries
+
+    set(PROGNAME "@PROGNAME@")
+    set(CODESIGN_IDENTITY "@WITH_XC_CODESIGN_IDENTITY@")
+    set(ENTITLEMENTS @MACOSX_BUNDLE_APPLE_ENTITLEMENTS@)
+    set(APP_DIR "${CPACK_TEMPORARY_INSTALL_DIRECTORY}/ALL_IN_ONE/${PROGNAME}.app")
+
+    if(NOT CODESIGN_IDENTITY)
+        message(FATAL_ERROR "No codesign identity specified.")
+    endif()
+
+    message(STATUS "Codesign identity used: ${CODESIGN_IDENTITY}")
+    message(STATUS "Signing ${PROGNAME}.app, this may take while...")
+
+    # Sign all binaries
+    execute_process(
+        COMMAND xcrun codesign --sign=${CODESIGN_IDENTITY} --force --options=runtime --deep "${APP_DIR}"
+        RESULT_VARIABLE SIGN_RESULT
+        OUTPUT_VARIABLE SIGN_OUTPUT
+        ERROR_VARIABLE SIGN_ERROR
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+        ERROR_STRIP_TRAILING_WHITESPACE
+        ECHO_OUTPUT_VARIABLE
+    )
+    if (NOT SIGN_RESULT EQUAL 0)
+        message(FATAL_ERROR "Signing binaries failed: ${SIGN_ERROR}")
+    endif()
+
+    # (Re-)Sign main executable with --entitlements
+    execute_process(
+        COMMAND xcrun codesign --sign=${CODESIGN_IDENTITY} --force --options=runtime --entitlements=${ENTITLEMENTS} "${APP_DIR}/Contents/MacOS/${PROGNAME}"
+        RESULT_VARIABLE SIGN_RESULT
+        OUTPUT_VARIABLE SIGN_OUTPUT
+        ERROR_VARIABLE SIGN_ERROR
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+        ERROR_STRIP_TRAILING_WHITESPACE
+        ECHO_OUTPUT_VARIABLE
+    )
+    if (NOT SIGN_RESULT EQUAL 0)
+        message(FATAL_ERROR "Signing main binary failed: ${SIGN_ERROR}")
+    endif()
+
+    message(STATUS "${PROGNAME}.app signed successfully.")
+
+else()       # POST_BUILD: Notarize DMG
+    set(KEYCHAIN_PROFILE "@WITH_XC_NOTARY_KEYCHAIN_PROFILE@")
+    if(NOT KEYCHAIN_PROFILE)
+        message(FATAL_ERROR "No notarization credentials keychain profile specified.")
+    endif()
+
+    foreach(DMG_FILE ${CPACK_PACKAGE_FILES})
+        # Submit for notarization
+        message(STATUS "Submitting DMG bundle for notarization, this may take while...")
+        execute_process(
+                COMMAND xcrun notarytool submit --keychain-profile=${KEYCHAIN_PROFILE} --wait "${DMG_FILE}"
+                RESULT_VARIABLE NOTARIZE_RESULT
+                OUTPUT_VARIABLE NOTARIZE_OUTPUT
+                ERROR_VARIABLE NOTARIZE_ERROR
+                OUTPUT_STRIP_TRAILING_WHITESPACE
+                ERROR_STRIP_TRAILING_WHITESPACE
+                ECHO_OUTPUT_VARIABLE
+        )
+        if (NOT NOTARIZE_RESULT EQUAL 0)
+            message(FATAL_ERROR "Notarization failed: ${NOTARIZE_ERROR}")
+        endif()
+        message(STATUS "DMG bundle notarized successfully.")
+
+        # Staple tickets
+        message(STATUS "Stapling notarization ticket...")
+        execute_process(
+                COMMAND xcrun stapler staple "${DMG_FILE}" && xcrun stapler validate "${DMG_FILE}"
+                RESULT_VARIABLE STAPLE_RESULT
+                OUTPUT_VARIABLE STAPLE_OUTPUT
+                ERROR_VARIABLE STAPLE_ERROR
+                OUTPUT_STRIP_TRAILING_WHITESPACE
+                ERROR_STRIP_TRAILING_WHITESPACE
+                ECHO_OUTPUT_VARIABLE
+        )
+        if (NOT STAPLE_RESULT EQUAL 0)
+            message(FATAL_ERROR "Stapling failed: ${STAPLE_ERROR}")
+        endif()
+        message(STATUS "DMG bundle notarization ticket stapled successfully.")
+    endforeach()
+endif()

cmake/MakePortableZip.cmake

@@ -1,3 +0,0 @@
-if (CMAKE_INSTALL_PREFIX MATCHES "/ZIP/")
-  file(TOUCH "${CMAKE_INSTALL_PREFIX}/.portable")
-endif()

cmake/WindowsCodesign.cmake.in

@@ -0,0 +1,79 @@
+#  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 2 or (at your option)
+#  version 3 of the License.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set(INSTALL_DIR ${CPACK_TEMPORARY_INSTALL_DIRECTORY})
+set(CODESIGN_IDENTITY @WITH_XC_CODESIGN_IDENTITY@)
+set(TIMESTAMP_URL @WITH_XC_CODESIGN_TIMESTAMP_URL@)
+
+if(CPACK_PACKAGE_FILES) 
+    # This variable is set only during POST_BUILD, reset SIGN_FILES first
+    set(SIGN_FILES "")
+    foreach(PACKAGE_FILE ${CPACK_PACKAGE_FILES})
+        # Check each package file to see if it can be signed
+        if(PACKAGE_FILE MATCHES "\\.msix?$" OR PACKAGE_FILE MATCHES "\\.exe$")
+            message(STATUS "Adding ${PACKAGE_FILE} for signature")
+            list(APPEND SIGN_FILES "${PACKAGE_FILE}")
+        endif()
+    endforeach()
+else()
+    # Setup portable zip file if building one
+    if(INSTALL_DIR MATCHES "/ZIP/")
+        file(TOUCH "${INSTALL_DIR}/.portable")
+        message(STATUS "Injected portable marker into ZIP file.")
+    endif()
+
+    # Find all dll and exe files in the install directory
+    file(GLOB_RECURSE SIGN_FILES
+            RELATIVE "${INSTALL_DIR}"
+            "${INSTALL_DIR}/*.dll"
+            "${INSTALL_DIR}/*.exe"
+    )
+endif()
+
+# Sign relevant binaries if requested
+if(CODESIGN_IDENTITY AND SIGN_FILES)
+    # Find signtool in PATH or error out
+    find_program(SIGNTOOL signtool.exe QUIET)
+    if(NOT SIGNTOOL)
+        message(FATAL_ERROR "signtool.exe not found in PATH, correct or unset WITH_XC_CODESIGN_IDENTITY")
+    endif()
+
+    # Check that a certificate thumbprint was provided or error out
+    if(CODESIGN_IDENTITY STREQUAL "auto")
+        message(STATUS "Signing using best available certificate.")
+        set(CERT_OPTS /a)
+    else ()
+        message(STATUS "Signing using certificate with fingerprint ${CODESIGN_IDENTITY}.")
+        set(CERT_OPTS /sha1 ${CODESIGN_IDENTITY})
+    endif()
+
+    message(STATUS "Signing binary files, this may take a while...")
+    # Use cmd /c to enable pop-up for pin entry if needed
+    execute_process(
+            COMMAND cmd /c ${SIGNTOOL} sign /fd SHA256 ${CERT_OPTS} /tr ${TIMESTAMP_URL} /td SHA256 /d ${CPACK_PACKAGE_FILE_NAME} ${SIGN_FILES}
+            WORKING_DIRECTORY "${INSTALL_DIR}"
+            RESULT_VARIABLE SIGN_RESULT
+            OUTPUT_VARIABLE SIGN_OUTPUT
+            ERROR_VARIABLE SIGN_ERROR
+            OUTPUT_STRIP_TRAILING_WHITESPACE
+            ERROR_STRIP_TRAILING_WHITESPACE
+            ECHO_OUTPUT_VARIABLE
+    )
+    if(NOT SIGN_RESULT EQUAL 0)
+        message(FATAL_ERROR "Signing binary files failed: ${SIGN_ERROR}")
+    endif()
+
+    message(STATUS "Binary files signed successfully.")
+endif()

codecov.yaml

@@ -1,8 +1,27 @@
+codecov:
+  require_ci_to_pass: false
 coverage:
   range: 60..80
   round: nearest
   precision: 2
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 0.5%
+        paths:
+          - "src"
+    patch:
+      default:
+        target: 50%
+        threshold: 0%
+        informational: true
+        paths:
+          - "src"
 fixes:
   - "*/src/::"
+ignore:
+  - "src/gui/styles/**"
+  - "src/thirdparty/**"
 comment:
   require_changes: true

docs/GettingStarted.adoc

@@ -7,6 +7,7 @@ KeePassXC Team <team@keepassxc.org>
 :imagesdir: images
 :stylesheet: styles/dark.css
 :toc: left
+:experimental:
 ifdef::backend-pdf[]
 :title-page:
 :title-logo-image: {imagesdir}/kpxc_logo.png
@@ -26,8 +27,8 @@ include::topics/DownloadInstall.adoc[tags=*;!advanced]
 
 include::topics/UserInterface.adoc[tags=*;!advanced]
 
-include::topics/PasswordGenerator.adoc[tags=*;!advanced]
-
 include::topics/DatabaseOperations.adoc[tags=*;!advanced]
 
-include::topics/BrowserPlugin.adoc[tags=*;!advanced]
+include::topics/PasswordGenerator.adoc[tags=*;!advanced]
+
+include::topics/BrowserIntegration.adoc[tags=*;!advanced]

docs/UserGuide.adoc

@@ -6,6 +6,8 @@ KeePassXC Team <team@keepassxc.org>
 :imagesdir: images
 :stylesheet: styles/dark.css
 :toc: left
+:sectanchors:
+:experimental:
 ifdef::backend-pdf[]
 :title-page:
 :title-logo-image: {imagesdir}/kpxc_logo.png
@@ -23,17 +25,19 @@ include::topics/UserInterface.adoc[tags=*]
 
 include::topics/DatabaseOperations.adoc[tags=*]
 
-include::topics/ImportExport.adoc[tags=*]
-
 include::topics/PasswordGenerator.adoc[tags=*]
 
-include::topics/BrowserPlugin.adoc[tags=*]
+include::topics/ImportExport.adoc[tags=*]
+
+include::topics/KeeShare.adoc[tags=*]
+
+include::topics/BrowserIntegration.adoc[tags=*]
 
 include::topics/Passkeys.adoc[tags=*]
 
 include::topics/AutoType.adoc[tags=*]
 
-include::topics/KeeShare.adoc[tags=*]
+include::topics/SecretService.adoc[tags=*]
 
 include::topics/SSHAgent.adoc[tags=*]
 

docs/man/keepassxc.1.adoc

@@ -28,26 +28,38 @@ keepassxc - a modern open-source password manager
 *keepassxc* [_options_] [_filename(s)_]
 
 == DESCRIPTION
-*KeePassXC* is a free/open-source password manager or safe which helps you to manage your passwords in a secure way.
-The complete database is always encrypted with the industry-standard AES (alias Rijndael) encryption algorithm using a 256 bit key.
+*KeePassXC* is a free/open-source password manager or safe which helps you to manage your passwords securely.
+The complete database is always encrypted with the industry-standard AES (also known as Rijndael) encryption algorithm using a 256-bit key.
 KeePassXC uses a database format that is compatible with KeePass Password Safe.
-Your wallet works offline and requires no Internet connection.
+Your database works offline and requires no internet connection.
 
 == OPTIONS
 *-h*, *--help*::
   Displays this help.
 
+*--help-all*::
+  Displays help including Qt specific options.
+
 *-v*, *--version*::
   Displays version information.
 
 *--config* <__config__>::
   Path to a custom config file.
 
+*--localconfig* <__localconfig__>::
+  Path to a custom local config file.
+
+*--lock*::
+  Locks all open databases.
+
 *--keyfile* <__keyfile__>::
   Key file of the database.
 
 *--pw-stdin*::
-  Read password of the database from stdin.
+  Reads password of the database from stdin.
+
+*--minimized*::
+  Starts KeePassXC minimized to the system tray.
 
 *--debug-info*::
   Displays debugging information.

docs/styles/dark.css

@@ -180,7 +180,7 @@ body.toc2.toc-right{padding-left:0;padding-right:20em}}
 .sect1{padding-bottom:1.25em}}
 .sect1:last-child{padding-bottom:0}
 .sect1+.sect1{border-top:1px solid #efefed}
-#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
+#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:2.0ex;margin-left:-1.8ex;margin-top:0.08ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
 #content h1>a.anchor::before,h2>a.anchor::before,h3>a.anchor::before,#toctitle>a.anchor::before,.sidebarblock>.content>.title>a.anchor::before,h4>a.anchor::before,h5>a.anchor::before,h6>a.anchor::before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
 #content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
 #content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}

docs/topics/.sharedheader

@@ -4,3 +4,4 @@ KeePassXC Team <team@keepassxc.org>
 :stylesheet: ../styles/dark.css
 :icons: font
 :toc: left
+:experimental:

docs/topics/AutoType.adoc

@@ -24,20 +24,22 @@ You can also set the time to remember the last used entry between presses of the
 === Configure Auto-Type Sequences
 Each entry in your database can have multiple Auto-Type sequences associated with various window titles. Simulated key presses can be sent to any other currently open window of your choice (web browser windows, login dialogs boxes, and so on). When the Global Auto-Type hotkey is pressed, KeePassXC will search your database for entries matching the current selected window title.
 
-NOTE: The default Auto-Type sequence is `{USERNAME}{TAB}{PASSWORD}{ENTER}`. This means that it first types the username of the selected entry, then presses the `Tab` key, then types the password of the entry and finally presses the `Enter` key.
+NOTE: The default Auto-Type sequence is `{USERNAME}{TAB}{PASSWORD}{ENTER}`. This means that it first types the username of the selected entry, then presses the kbd:[Tab] key, then types the password of the entry and finally presses the kbd:[Enter] key.
 
 TIP: To change the default Auto-Type sequence for all entries of your database, edit the root (top-most) group of your database and set a specific sequence. Child groups and entries will inherit this sequence by default.
 
 To configure Auto-Type sequences for your entries, perform the following steps:
 
-1.	Navigate to the entries list and open the desired entry for editing. Click the _Auto-Type_ item from the left-hand menu bar *(1)*. Press the `+` button *(2)* to add a new sequence entry. Select the desired window using the drop-down menu, or simply type a window title in the box *(3)*.
+1.	Navigate to the entries list and open the desired entry for editing. Click the _Auto-Type_ item from the left-hand menu bar *(1)*. Press the kbd:[+] button *(2)* to add a new sequence entry. Select the desired window using the drop-down menu, or simply type a window title in the box *(3)*.
 +
-TIP: You can use an asterisk (`\*`) to match any value (e.g., when a window title contains a dynamic filename or website name). Set the window title to `*` to match all windows. Leave the window title blank to offer additional default Auto-Type sequences, such as custom attributes.
+TIP: You can use an asterisk (`\*`) as a wildcard (e.g., when a window title contains a dynamic file or website name). Set the window title to `*` to match all windows. Leave the window title blank to offer additional sequences for every matching window. This is useful for typing individual custom attributes, for example.
++
+TIP: To use a standard regular expression for window title matching, the window title must start and end with two forward slashes (e.g., `//^Secure Login - .*$//`).
 +
 .Auto-Type entry sequences
 image::autotype_entry_sequences.png[]
 
-2. _(Optional)_ Define a custom Auto-Type sequence for each window title match by selecting the _Use specific sequence for this association_ checkbox. Sequence action codes and field placeholders are detailed in the following table. Beyond the most important ones detailed below, there are additional action codes and placeholders available: xref:UserGuide.adoc#_auto_type_actions[Auto-Type Actions Reference] and xref:UserGuide.adoc#_entry_placeholders[Entry Placeholders Reference]. Action codes and placeholders are not case sensitive.
+2. _(Optional)_ Define a custom Auto-Type sequence for each window title match by selecting the _Use specific sequence for this association_ checkbox. Sequence action codes and field placeholders are detailed in the following table. Beyond the most important ones detailed below, there are additional action codes and placeholders available: <<Auto-Type Actions, Auto-Type Actions Reference>> and <<Entry Placeholders, Entry Placeholders Reference>>. Action codes and placeholders are not case sensitive.
 +
 [grid=rows, frame=none, width=90%]
 |===
@@ -60,7 +62,7 @@ image::autotype_entry_sequences.png[]
 |Press the corresponding keyboard key
 
 |{UP}, {DOWN}, {LEFT}, {RIGHT}  |Press the corresponding arrow key
-|{LEFTBRACE}, {RIGHTBRACE}      |Press `{` or `}`, respectively
+|{LEFTBRACE}, {RIGHTBRACE}      |Press kbd:[{] or kbd:[}], respectively
 |{&lt;KEY&gt; X}     |Repeat &lt;KEY&gt; X times (e.g., {SPACE 5} inserts five spaces)
 |{DELAY=X}     |Set delay between key presses to X milliseconds
 |{DELAY X}     |Pause typing for X milliseconds
@@ -89,7 +91,7 @@ When you press the global Auto-Type hotkey, KeePassXC searches all unlocked data
 .Auto-Type sequence selection
 image::autotype_selection_dialog.png[,70%]
 
-Perform the selected Auto-Type sequence by double clicking the desired row or pressing _Enter_. Press the up and down arrows to navigate the list. Sequences can be filtered through the text edit field.
+Perform the selected Auto-Type sequence by double clicking the desired row or pressing kbd:[Enter]. Press the up and down arrows to navigate the list. Sequences can be filtered through the text edit field.
 
 .Auto-Type search database
 image::autotype_selection_dialog_search.png[,70%]
@@ -104,7 +106,7 @@ The option to type just the username, password, or current TOTP value is availab
 TIP: On Windows, you will see an option to use a virtual keyboard in this sub-menu. This is an experimental feature that allows you to type into virtual machines by simulating actual keyboard presses. Some international keyboards may be unsupported due to limitations in the Windows API.
 
 === Performing Entry-Level Auto-Type
-You can quickly activate the default Auto-Type sequence for a particular entry using Entry-Level Auto-Type. For this operation, the KeePassXC window will be minimized and the Auto-Type sequence occurs in the previously selected window. You can perform Entry-Level Auto-Type from the toolbar icon *(A)*, entry context menu *(B)*, or by pressing `Ctrl+Shift+V`.
+You can quickly activate the default Auto-Type sequence for a particular entry using Entry-Level Auto-Type. For this operation, the KeePassXC window will be minimized and the Auto-Type sequence occurs in the previously selected window. You can perform Entry-Level Auto-Type from the toolbar icon *(A)*, entry context menu *(B)*, or by pressing kbd:[Ctrl+Shift+V].
 
 WARNING: Be careful when using Entry-Level Auto-Type as you can inadvertently type into the wrong window. For example, a chat window or email.
 

docs/topics/BrowserIntegration.adoc

@@ -1,158 +1,223 @@
-= KeePassXC – Browser Plugin
-include::.sharedheader[]
-:imagesdir: ../images
-
-// tag::content[]
-== Setup Browser Integration
-The KeePassXC-Browser extension is installed within your web browser so that you can automatically pull usernames and passwords from KeePassXC and populate them directly into website fields. It is a very useful and secure extension that enhances your productivity while using KeePassXC. With this extension, you do not need to manually copy the data from your KeePassXC database and paste it into the website fields.
-
-The KeePassXC-Browser extension is available on the following web browsers:
-
-* Google Chrome, Vivaldi, and Brave
-* Mozilla Firefox and Tor-Browser
-* Microsoft Edge
-* Chromium
-
-=== Install the Browser Extension
-You can download the KeePassXC-Browser extension from your web browser. To download the KeePassXC-Browser extension, perform the following steps:
-
-1. Click the link corresponding to your browser:
-  * https://chrome.google.com/webstore/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk[Chrome, Chromium, Vivaldi, and Brave]
-  * https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser[Mozilla Firefox and Tor-Browser]
-  * https://microsoftedge.microsoft.com/addons/detail/keepassxcbrowser/pdffhmdngciaglkoonimfcmckehcpafo[Microsoft Edge]
-
-2. Click the button to install/add the extension to the browser. Accept any confirmation dialogs.
-
-TIP: For the most up-to-date troubleshooting advice on all platforms, please read our https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide[Troubleshooting Guide].
-
-// tag::advanced[]
-NOTE: When Microsoft Edge is installed as a managed application, system administrators are required to deploy a custom native messaging configuration. Instructions for this are found in the advanced section below.
-// end::advanced[]
-
-=== Configure KeePassXC-Browser
-To start using KeePassXC-Browser, you must configure it so that it can communicate with the KeePassXC application on your desktop.
-
-To configure KeePassXC-Browser, perform the following steps:
-
-1. Open the KeePassXC application on your desktop and navigate to Tools > Settings.
-
-2. Click the Browser Integration option on the left-hand side *(1)*. The following screen appears:
-+
-.Browser Settings
-image::browser_settings.png[]
-
-3. Click the _Enable browser integration_ checkbox *(2)*. Then select the browsers for which you have downloaded the KeePassXC-Browser extension *(3)* and click *OK*.
-
-4. Ensure your database is unlocked, then open (or restart) your browser.
-
-5. Click the KeePassXC-Browser extension icon *(A)* in your browser (see figure below). A pop-up window appears.
-+
-.Connect Extension to KeePassXC
-image::browser_extension_connect.png[,80%]
-
-6. Click the _Connect_ button *(B)* in the pop-up window to complete integrating the KeePassXC-Browser extension with your KeePassXC desktop application.
-
-7. You are now prompted to enter a unique name to identify the connection between this browser and your database. Enter a unique name in the field (e.g., firefox-laptop) and click the _Save and allow access_ button.
-+
-.Extension Association Dialog
-image::browser_extension_association.png[,80%]
-
-WARNING: If you reuse a connection name in a database, the previous browser connection will be overwritten and prevent access.
-
-=== Using the Browser Extension
-The KeePassXC-Browser extension lets you automatically populate the entries from your KeePassXC database into the fields on websites you visit. To do so, perform the following steps:
-
-1. Open your KeePassXC desktop application and unlock your database.
-
-2. Open your web browser. The KeePassXC-Browser extension icon in your browser window will change based on its connection state. The figure below shows the different states.
-+
-*(A)* KeePassXC is not running or is disconnected +
-*(B)* Connected to KeePassXC, but database is locked +
-*\(C)* Connected to KeePassXC and ready to use
-+
-.Extension Icon States
-image::browser_extension_icons.png[,70%]
-
-3. If the KeePassXC desktop application is not connected with the KeePassXC-Browser extension, click the extension icon in your web browser and click _Reload_ from the pop-up window as shown in the following screen.
-+
-.Reload Extension Connection
-image::browser_extension_reload.png[,80%]
-
-4. Open the URL for which you want to use with your database. If you have previously created an entry in your database then the KeePassXC-Browser Confirm Access dialog may appear:
-+
-.Confirm Access Dialog
-image::browser_confirm_access_dialog.png[,80%]
-
-5. Ensure the credentials you want to use are checked, then click *(A)* Remember _(optional)_, then click _Allow Selected_ *(B)*.
-
-6. In your website, the KeePassXC icon will appear in the username field of the login form *(A)*. Click the icon to populate the field with your stored credentials. If you have more than one credential for this website, a dropdown will appear to choose the one to use.
-+
-.Fill Credentials
-image::browser_fill_credentials.png[,80%]
-
-// tag::advanced[]
-=== Browser statistics
-You can see a cross-section of all browser-related settings applied to entries within a database through the Browser Statistics report. To access these, use the _Database_ -> _Database reports..._ menu option then click on _Browser Statistics_ on the left-hand menu. From here you can see all entries with URLs applied to them, explicitly allowed and denied URLs, and any entries with custom browser settings.
-
-.Browser statistics
-image::browser_statistics.png[]
-
-=== Advanced Usage
-You can configure unique browser integration behavior for each entry. This allows you to add multiple URLs to an entry, hide an entry from the browser integration, and more. To access these settings, open an entry for editing then click on _Browser Integration_ option in the left-hand menu *(1)*.
-
-After opening the settings you can add any number of additional URLs by clicking the _Add_ button *(2)* and typing the URL in the list to the left *(3)*.
-
-.Entry browser settings
-image::browser_entry_settings.png[]
-
-To set options for all entries within a group, edit the group and go to the browser integration section *(1)*. Here you can explicitly disable access to all entries under a group hierarchy to the browser extension. You can set other useful options for groups of entries as well.
-
-.Group browser settings
-image::browser_group_settings.png[]
-
-Database-wide operations are available in the database settings. To access these use the _Database_ -> _Database settings..._ menu option. Click on _Browser Integration_ on the left-hand menu. From here you can disconnect all browsers, convert legacy KeePass-HTTP settings, reset all entry-level settings, and refresh the database root group ID (useful when making copies of your database file).
-
-.Database browser settings
-image::browser_database_settings.png[]
-
-Finally, advanced application-wide settings are available in the Browser Integration tab of the application settings.
-
-WARNING: We do not recommend changing any of these settings as they may break the browser integration plugin.
-
-.Advanced browser settings
-image::browser_advanced_settings.png[]
-
-=== Advanced Setup
-==== Managed Microsoft Edge on Windows
-1. Deploy *org.keepassxc.keepassxc_browser_edge.json* to, for example, `C:\ProgramData\KeepassXC` on all managed platforms.
-+
-----
-{
-    "allowed_origins": [
-        "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/"
-    ],
-    "description": "KeePassXC integration with native messaging support",
-    "name": "org.keepassxc.keepassxc_browser",
-    "path": "C:\\Program Files\\KeePassXC\\keepassxc-proxy.exe",
-    "type": "stdio"
-}
-----
-
-2. Configure GPO options (registry result):
-+
-----
-Windows Registry Editor Version 5.00
-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\org.keepassxc.keepassxc_browser]
-@="C:\ProgramData\KeepassXC\org.keepassxc.keepassxc_browser_edge.json"
-
-[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
-"NativeMessagingUserLevelHosts"=dword:00000000
-
-[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist]
-"1"="pdffhmdngciaglkoonimfcmckehcpafo"
-
-[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\NativeMessagingAllowlist]
-"1"="org.keepassxc.keepassxc_browser"
-----
-// end::advanced[]
-// end::content[]
+= KeePassXC – Browser Plugin
+include::.sharedheader[]
+:imagesdir: ../images
+
+// tag::content[]
+== Browser Integration
+The KeePassXC-Browser extension is installed within your web browser so that you can automatically pull usernames and passwords from KeePassXC and populate them directly into website fields. It is a very useful and secure extension that enhances your productivity while using KeePassXC. With this extension, you do not need to manually copy the data from your KeePassXC database and paste it into the website fields.
+
+The KeePassXC-Browser extension is available on the following web browsers:
+
+* Google Chrome, Vivaldi, and Brave
+* Mozilla Firefox and Tor-Browser
+* Microsoft Edge
+* Chromium
+
+NOTE: On Linux, Flatpak and Snap based browsers are generally not supported. Ubuntu's Firefox Snap is currently the only known exception. 
+
+=== Install the Browser Extension
+You can download the KeePassXC-Browser extension from your web browser. To download the KeePassXC-Browser extension, perform the following steps:
+
+1. Click the link corresponding to your browser:
+  * https://chromewebstore.google.com/detail/keepassxc-browser/oboonakemofpalcgghocfoadofidjkkk[Chrome, Chromium, Vivaldi, and Brave]
+  * https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser[Mozilla Firefox and Tor-Browser]
+  * https://microsoftedge.microsoft.com/addons/detail/keepassxcbrowser/pdffhmdngciaglkoonimfcmckehcpafo[Microsoft Edge]
+
+2. Click the button to install/add the extension to the browser. Accept any confirmation dialogs.
+
+TIP: For the most up-to-date troubleshooting advice on all platforms, please read our https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide[Troubleshooting Guide].
+
+// tag::advanced[]
+NOTE: When Microsoft Edge is installed as a managed application, system administrators are required to deploy a custom native messaging configuration. Instructions for this are found in the advanced section below.
+// end::advanced[]
+
+=== Configure KeePassXC-Browser
+To start using KeePassXC-Browser, you must configure it so that it can communicate with the KeePassXC application on your desktop.
+
+To configure KeePassXC-Browser, perform the following steps:
+
+1. Open the KeePassXC application on your desktop and navigate to Tools > Settings.
+
+2. Click the Browser Integration option on the left-hand side *(1)*. The following screen appears:
++
+.Browser Settings
+image::browser_settings.png[]
+
+3. Click the _Enable browser integration_ checkbox *(2)*. Then select the browsers for which you have downloaded the KeePassXC-Browser extension *(3)* and click *OK*.
+
+4. Ensure your database is unlocked, then open (or restart) your browser.
+
+5. Click the KeePassXC-Browser extension icon *(A)* in your browser (see figure below). A pop-up window appears.
++
+.Connect Extension to KeePassXC
+image::browser_extension_connect.png[,80%]
+
+6. Click the _Connect_ button *(B)* in the pop-up window to complete integrating the KeePassXC-Browser extension with your KeePassXC desktop application.
+
+7. You are now prompted to enter a unique name to identify the connection between this browser and your database. Enter a unique name in the field (e.g., firefox-laptop) and click the _Save and allow access_ button.
++
+.Extension Association Dialog
+image::browser_extension_association.png[,80%]
+
+WARNING: If you reuse a connection name in a database, the previous browser connection will be overwritten and prevent access.
+
+=== Using the Browser Extension
+The KeePassXC-Browser extension lets you automatically populate the entries from your KeePassXC database into the fields on websites you visit. To do so, perform the following steps:
+
+1. Open your KeePassXC desktop application and unlock your database.
+
+2. Open your web browser. The KeePassXC-Browser extension icon in your browser window will change based on its connection state. The figure below shows the different states.
++
+*(A)* KeePassXC is not running or is disconnected. +
+*(B)* KeePassXC is running, but KeePassXC Browser Extension is not connected to the current database. +
+*\(C)* Connected to KeePassXC, but database is locked. +
+*(D)* Connected to KeePassXC and ready to use. If the icon is shown with a number, it indicates the number of credentials found for the current site.
++
+.Extension Icon States
+image::browser_extension_icons.png[,70%]
+
+3. If the KeePassXC desktop application is not connected with the KeePassXC-Browser extension, click the extension icon in your web browser and click _Reload_ from the pop-up window as shown in the following screen.
++
+.Reload Extension Connection
+image::browser_extension_reload.png[,80%]
+
+4. Open the URL for which you want to use with your database. If you have previously created an entry in your database then the KeePassXC-Browser Confirm Access dialog may appear:
++
+.Confirm Access Dialog
+image::browser_confirm_access_dialog.png[,80%]
+
+5. Ensure the credentials you want to use are checked, then click *(A)* Remember _(optional)_, then click _Allow Selected_ *(B)*.
+
+6. In your website, the KeePassXC icon will appear in the username field of the login form *(A)*. Click the icon to populate the field with your stored credentials. If you have more than one credential for this website, a dropdown will appear to choose the one to use.
++
+.Fill Credentials
+image::browser_fill_credentials.png[,80%]
+
+=== Generate Passwords
+The KeePassXC-Browser Extension also lets you generate passwords directly in your browser. 
+This feature can be used for websites with existing credentials as well as for new websites. 
+You can then choose to update/add the credentials to your KeePassXC database directly from the Browser.
+
+1. Ensure your database is unlocked and configured to use the Browser extension as shown above.
+
+2. Right click on a password field and from the KeePassXC sub-menu choose _Show Password Generator_. The standard KeePassXC password generator will appear.
+
+3. Configure the password generation options and click _Apply Password_ when done. The generated password will be filled into the previously selected field.
+
+4. When you have successfully submitted the password on the website, a popup will appear asking you to either update an existing entry or add a new one.
+
+// tag::advanced[]
+=== Browser Integration Report
+You can see a cross-section of all browser-related settings applied to entries within a database through the Browser Statistics report. To access, use the _Database_ -> _Database reports..._ menu option then click on _Browser Statistics_ on the left-hand menu. From here you can see all entries with URLs applied to them, explicitly allowed and denied URLs, and any entries with custom browser settings.
+
+TIP: You can delete remembered site settings from the report by right clicking the entry you want to reset and selecting "Delete plugin data from entry".
+
+.Browser Integration Report
+image::browser_statistics.png[]
+
+=== Additional Fill-In Fields
+Sometimes login pages have additional fields you would like to fill (e.g., account number). Use the following instructions to add them:
+
+1. Edit the entry you want to add fields to. Go to the advanced tab and add the attributes you need. Each attribute *must start with* `KPH:`, but otherwise the name does not matter. If multiple KPH attributes are defined, they are used in alphabetical order (i.e., the order shown in KeePassXC).
+2. Within the browser, navigate to the page you want to use the additional fields on. Select the "Choose Custom Login Fields" button from the extension popup window. Choose Username, Password and String Field(s). Confirm the selections.
+3. Refresh the web page. The new KPH attribute(s) should be filled to the extra fields.
+
+.String Fields Selection in Browser
+image:browser_integration_additional_attribute.png[]
+
+=== Clearing Remembered Sites
+Entries that you have chosen to remember allow/deny rules are stored in their respect custom data fields. You can clear all of these remembered settings at once through the database settings. Follow these steps:
+
+1. Go to *Database* → *Database Settings* or click the database settings icon in the toolbar.
+2. Go to the *Browser Integration* tab, then click on the *Forget all site-specific settings on entries* button. 
+3. Confirm this action in the popup dialog. This cannot be undone once the database is saved. 
++
+.Clear Remembered Sites
+image::browser_integration_clear_sites.png[,100%]
+
+=== Advanced Usage
+You can configure unique browser integration behavior for each entry. This allows you to add multiple URLs to an entry, hide an entry from the browser integration, and more. To access these settings, open an entry for editing then click on _Browser Integration_ option in the left-hand menu *(1)*.
+
+After opening the settings you can add any number of additional URLs by clicking the _Add_ button *(2)* and typing the URL in the list to the left *(3)*.
+
+Additional URLs also supports wildcards (with KeePassXC 2.7.10 and later). You can use URLs like:
+----
+https://*.example.com
+https://example.com/*/path
+https://sub.*.example.com/path/*
+----
+
+.Entry browser settings
+image::browser_entry_settings.png[]
+
+To set options for all entries within a group, edit the group and go to the browser integration section *(1)*. Here you can explicitly disable access to all entries under a group hierarchy to the browser extension. You can set other useful options for groups of entries as well.
+
+.Group browser settings
+image::browser_group_settings.png[]
+
+Database-wide operations are available in the database settings. To access these use the _Database_ -> _Database settings..._ menu option. Click on _Browser Integration_ on the left-hand menu. From here you can disconnect all browsers, convert legacy KeePass-HTTP settings, reset all entry-level settings, and refresh the database root group ID (useful when making copies of your database file).
+
+.Database browser settings
+image::browser_database_settings.png[]
+
+Finally, advanced application-wide settings are available in the Browser Integration tab of the application settings.
+
+WARNING: We do not recommend changing any of these settings as they may break the browser integration plugin.
+
+.Advanced browser settings
+image::browser_advanced_settings.png[]
+
+=== Advanced Setup
+==== Custom Browser option
+It is possible to enable support for a custom browser (e.g. LibreWolf, WaterFox, Arc, beta and nightly browsers, etc.) using this feature.
+This feature is only available for Linux and macOS.
+
+.Custom browser configuration
+image::browser_custom_browser_configuration.png[]
+
+The native messaging script file needed for the custom browser depends on the browser type. For Firefox based browsers like Librefox the _Browser type_ must be _Firefox_. For Arc, Opera, etc. the type must be set to _Chromium_.
+
+_Config location_ must have the exact path for the browser's _native-messaging-hosts_ folder. If you are unsure, refer to our https://github.com/keepassxreboot/keepassxc-browser/wiki/Troubleshooting-guide#1-after-enabling-browser-integration-and-support-for-your-browser[Troubleshooting Guide] for listing of the most common paths, and a few ways for finding a path when it's not known.
+
+When a Custom Browser has been successfully set, KeePassXC will automatically write the needed native messaging script file to the folder.
+
+If you wish to support multiple custom browsers, you can copy the native messaging script files manually to the _native-messaging-hosts_ folder from other browsers.
+
+==== Managed Microsoft Edge on Windows
+1. Deploy *org.keepassxc.keepassxc_browser_edge.json* to, for example, `C:\ProgramData\KeePassXC\` on all managed platforms.
++
+----
+{
+    "allowed_origins": [
+        "chrome-extension://pdffhmdngciaglkoonimfcmckehcpafo/"
+    ],
+    "description": "KeePassXC integration with native messaging support",
+    "name": "org.keepassxc.keepassxc_browser",
+    "path": "C:\\Program Files\\KeePassXC\\keepassxc-proxy.exe",
+    "type": "stdio"
+}
+----
+
+2. Configure GPO options (see https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#native-messaging[Microsoft Edge Native Messaging Policies] for more information.):
++
+----
+Windows Registry Editor Version 5.00
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\org.keepassxc.keepassxc_browser]
+@="C:\ProgramData\KeepassXC\org.keepassxc.keepassxc_browser_edge.json"
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
+"NativeMessagingUserLevelHosts"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist]
+"1"="pdffhmdngciaglkoonimfcmckehcpafo"
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\NativeMessagingAllowlist]
+"1"="org.keepassxc.keepassxc_browser"
+----
+
+==== Managed Microsoft Edge on macOS
+1. Deploy *org.keepassxc.keepassxc_browser_edge.json* to `/Library/Microsoft/Edge/NativeMessagingHosts`.
+
+2. You may need to configure Edge to allowlist the extension and native messaging host. See https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#native-messaging[Microsoft Edge Native Messaging Policies] for more information.
+// end::advanced[]
+// end::content[]

docs/topics/DatabaseOperations.adoc

@@ -36,6 +36,13 @@ NOTE: Keep this password for your database safe. Either memorize it or note it d
 
 5. Click Done. You will be prompted to select a location to save your database file. The database file is saved on to your computer with the default `.kdbx` extension. You can store your database wherever you wish, it is fully encrypted at all times preventing unauthorized access.
 
+=== Storing Your Database
+The database file that you create might contain highly sensitive data and must be stored in a very secure way. You must make sure that the database is always protected with a strong and long password. The database file that is protected with a strong and long password is secure and encrypted while stored on your computer or cloud storage service.
+
+Make sure that you or someone else does not accidentally delete the database file. Deletion of the database file will result in the total loss of all your information (including all your passwords!) and a lot of inconvenience to manually retrieve your logins for various web applications. Do not share the credentials to access your database file with anyone unless you absolutely trust them (spouse, child, etc.).
+
+TIP: You can safely store your database file in the cloud (OneDrive, Dropbox, Google Drive, Nextcloud, Syncthing, etc.). The database file is always fully encrypted; unencrypted data is never written to disk and is never accessible to your cloud storage provider. We recommend using a storage service that keeps automatic backups (version history) of your database file in the event of corruption or accidental deletion.
+
 === Opening an Existing Database
 To open an existing database, perform the following steps:
 
@@ -51,9 +58,11 @@ image::unlock_database.png[]
 
 3. Enter the password for your database.
 
-4. _(Optional)_ Browse for the Key File if you have chosen it as an additional authentication factor while creating the database. Refer to the KeePassXC User Guide for more information on setting a Key File as an additional authentication factor.
+4. _(Optional)_ Click *I have a key file (A)* if you have one as an additional authentication factor for your database.
 
-5. Click *OK*. The database opens and the following screen is displayed:
+5. _(Optional)_ Plug in your configured YubiKey or OnlyKey to use it as an additional authentication factor. If you don't see it listed, press the refresh button *(B)*.
+
+6. Click *OK*. The database opens and the following screen is displayed:
 +
 .Unlocked database
 image::database_view.png[]
@@ -66,35 +75,24 @@ NOTE: On Windows, you will be prompted to authenticate to Windows Hello after un
 .Windows Hello example
 image::quick_unlock_windows_hello.png[]
 
-When your database is locked, you will see the following unlock dialog. Simply press _Enter_ or click on _Unlock Database_ to initiate the biometric authentication process. If you are using a hardware key (e.g. Yubikey), it must be connected to your computer to complete the unlock.
+When your database is locked, you will see the following unlock dialog. Simply press kbd:[Enter] or click on _Unlock Database_ to initiate the biometric authentication process. If you are using a hardware key (e.g. Yubikey), it must be connected to your computer to complete the unlock.
 
 .Quick Unlock
 image::quick_unlock.png[]
 
 // tag::advanced[]
-=== Expired Entries
-By default, KeePassXC will show entries that are expired or will be expiring within 3 days after unlocking the database. This feature allows you to change your passwords before they expire and be aware of passwords that are no longer valid. You can disable or change this feature in the Application Settings.
+NOTE: By default, KeePassXC will show entries that are expired or will be expiring within 3 days after unlocking the database. This feature allows you to change your passwords before they expire and be aware of passwords that are no longer valid. You can disable or change this feature in the Application Settings.
 
-=== Advanced Save Options
-There are three ways that KeePassXC can handle database files. This behavior is set in the Application Settings under _File Operations_.
-
-1. _(Default)_ *Safe saves* create a temporary database file alongside the existing one and atomically move it into place when all writing is complete. This prevents database corruption in the case of application crashes, loss of power, or other interruptions.
-
-2. *Temporary file saves* create a database in the temporary files folder. This database is then moved into place overtop of the existing file. Although rare, interruptions in this move process could leave your database in an unknown state. This option is useful for overcoming poorly behaved cloud sync tools.
-
-3. *Direct-write saves* write directly to the existing database file. This is an unsafe operation since any interruption can leave your entire database inaccessible. We only recommend using this option when interfacing with Linux GVFS services (e.g. Google Cloud on Gnome) and other types of storage services that host a virtual drive system.
-
-In addition to these save options, KeePassXC can create a backup of your existing database file just prior to saving. This backup will be saved at the path specified in the *Backup destination* field. This path can be absolute or relative. The latter will be resolved according to the databases path. It is possible to specify a custom naming scheme with placeholders. See xref:UserGuide.adoc#_backup_path_placeholders[Backup Path Placeholders] for available placeholders and examples.
-
-image::save_options.png[]
 // end::advanced[]
+=== Entry Handling
+Entries in KeePassXC are the fundamental units where all your sensitive information is stored. Each entry can contain various fields such as usernames, passwords, URLs, attachments, and notes. You can create, edit, clone, and delete entries as needed. Additionally, KeePassXC supports advanced features like TOTP for two-factor authentication, custom attributes, and entry history to track changes over time. Proper management of entries ensures that your data is organized, secure, and easily accessible when needed.
 
-=== Adding an Entry
+==== Adding an Entry
 All the details such as usernames, passwords, URLs, attachments, notes, and so on are stored in database entries. You can create as many entries as you want in the database.
 
 To add an entry, perform the following step:
 
-1. Navigate to Entries > New Entry (Or, press Ctrl+N). The following screen appears:
+1. Navigate to Entries > New Entry (or press kbd:[Ctrl+N]). The following screen appears:
 +
 .Adding a new entry
 image::edit_entry.png[]
@@ -112,18 +110,18 @@ image::edit_entry.png[]
 
 5. Click *OK* to add the entry to your database.
 
-=== Editing an Entry
+==== Editing an Entry
 To edit the details in an entry, perform the following steps:
 
 1. Select the entry you want to edit.
 
-2. Press `Enter`, click the edit toolbar icon, or right-click and select Edit Entry from the menu.
+2. Press kbd:[Enter], click the edit toolbar icon, or right-click and select Edit Entry from the menu.
 
 3. Make the desired changes.
 
 4. Click *OK*.
 
-=== Adding TOTP to an Entry
+==== Adding TOTP to an Entry
 Timed One-Time Passwords (TOTP) are a popular choice for two-factor authentication methods. These codes are typically six digits long and change every 30 seconds. They are derived from a shared secret value and the current time. Once set up, KeePassXC can calculate TOTP codes like any authenticator app, such as Google Authenticator. The codes can be used with copy/paste, browser extension, and Auto-Type.
 
 TIP: Your computer time must be synchronized with an internet time source to generate valid TOTP codes, https://www.nist.gov/pml/time-and-frequency-division/time-distribution/internet-time-service-its[read more here].
@@ -145,24 +143,34 @@ After an entry is configured with TOTP, you will see a clock icon in that entry'
 .TOTP Usage
 image::totp_usage_examples.png[]
 
-=== Deleting an Entry
+==== Entry Icons
+You can select an icon to be displayed with each entry for easy identification. KeePassXC comes with a set of default icons that you can use or you can use your own custom icons. If you defined a URL with an entry, you can also download the favorite icon for that particular website.
+
+NOTE: To delete a custom icon, go to <<Database Maintenance>> where you can purge unused icons and delete one or more icons at a time.
+
+.Entry icon selection
+image::edit_entry_icons.png[]
+
+TIP: Each KeePass application has different default icons. If you use a mobile app or KeePass2, be aware that the default icons may not be exactly correspond to the KeePassXC icons.
+
+==== Deleting an Entry
 To delete an entry, perform the following steps:
 
-1. Select the entry you want to delete and press the `Delete` button on your keyboard.
+1. Select the entry you want to delete and press the kbd:[Del] button on your keyboard.
 
 2. You will be prompted to move the entry to the Recycle Bin (if enabled).
 +
 NOTE: You can disable the recycle bin within the Database Settings. If the recycle bin is disabled then deleted entries will be permanently removed from the database.
 
-3. To permanently delete the entry, navigate to the Recycle Bin, select the entry you want to delete and press the `Delete` button on your keyboard.
+3. To permanently delete the entry, navigate to the Recycle Bin, select the entry you want to delete and press the kbd:[Del] button on your keyboard.
 
 // tag::advanced[]
-=== Clone an Entry
+==== Clone an Entry
 Creating a clone of an entry provides you a ready-to-use template for creating new entries with similar details of a master entry.
 
 To create a clone of an existing entry, perform the following steps:
 
-1.	Right-click on the entry for which you want to create a clone and select _Clone Entry_. Alternatively, select the desired entry and press `Ctrl+K`.
+1.	Right-click on the entry for which you want to create a clone and select _Clone Entry_. Alternatively, select the desired entry and press kbd:[Ctrl+K].
 +
 .Clone entry from context menu
 image::clone_entry.png[]
@@ -180,12 +188,73 @@ image::clone_entry_dialog.png[,50%]
 .References in a cloned entry
 image::clone_entry_references.png[]
 
-4. You can create your own references using the xref:UserGuide.adoc#_entry_cross_reference[Entry Reference Syntax]
+4. You can create your own references using the <<Entry Cross-Reference, Entry Reference Syntax>>
 
-== Searching the Database
-KeePassXC provides an enhanced and granular search features the enables you to search for specific entries in the databases using the different modifiers, wild card characters, and logical operators.
+==== Entry URL Handling
+KeePassXC can handle URLs in various ways. Standard URLs will be opened in your default browser. URLs that start with schemas handled by your Operating System will launch the associated application, for example `ftp://` or `ssh://`. You can also use the following URL schemas to perform specific actions:
 
-=== Modifiers and Fields
+|===
+|Schema    | Example   | Description
+
+|cmd://
+|`cmd://ssh {USERNAME}@example.com -p 2222`
+|Launches the specified command line executable with the specified arguments. The executable must be present on your PATH or an absolute path must be specified.
+
+|kdbx://
+|`kdbx://~/dbs/passwords.kdbx`
+|Opens the specified database file. Set the entry's username to the keyfile path (if required) and password to the database password. The database will open in a new tab.
+
+|===
+
+=== Advanced Entry Handling
+KeePassXC offers several advanced options for managing your database entries. Additional Attributes allow you to store extra information required by some applications and websites. Attachments enable you to attach files to entries, stored as encrypted binaries, which can be previewed directly in the application (text and images). Icons can be selected or downloaded for easy identification of entries. The Properties section lets you view basic properties such as creation, modification, and last accessed times, and retrieve an entry's UUID for references. KeePassXC also maintains a history of changes to entries, allowing you to view, restore, or delete previous versions of an entry.
+
+==== Additional Attributes
+A lot of applications and web sites now require providing additional information when you create accounts. The additional information is used to block hackers if any suspicious activity is detected. In addition, the additional information you provide can be used to reset passwords if you forget them. You can also store arbitrary information here that can be copied to the clipboard or Auto-Typed using the `{S:<ATTR_NAME>}` action code.
+
+To protect an attribute from being displayed by default, activate the _Protect_ checkbox *(A)*. To show the contents of the attribute while keeping it protected, press the _Reveal_ button *(B)*.
+
+.Additional attributes example
+image::edit_entry_attributes.png[]
+
+==== Attachments
+You can attach files to any entry in your database by pressing the _Add_ button *(A)*. These files are added to the database and stored as encrypted binaries. You can open, save, or delete attachments from this interface *(B)*.
+
+NOTE: When you try to open the attached file, KeePassXC extracts the attachment to a temporary file and opens it using the default application associated with the file type. After finishing viewing or editing the file, you can choose between importing or discarding the changes that you made to the temporary file. KeePassXC securely deletes the temporary file by overwriting it.
+
+.Attachments interface
+image::edit_entry_attachments.png[]
+
+==== Foreground and Background Color
+You can change the foreground *(A)* and/or background *(B)* color that this entry will use in the entry lists. Click the corresponding box to open the color picker dialog.
+
+.Color picker dialog
+image::edit_entry_colors.png[]
+
+==== Properties
+KeePassXC lets you view the basic properties such as date and time of creation, modification, and when last accessed. This is also where you can retrieve an entry's UUID for use in references.
+
+.Entry properties view
+image::edit_entry_properties.png[]
+
+==== History
+KeePassXC maintains a history of changes you make to your entries. Each time you change an entry, KeePassXC automatically creates a backup copy of the current, non-modified entry before saving the new values. You can view the changes you made previously, restore, and delete the history of changes you made. The age of the history item, the changes that were made, and the entry's size are shown in the table view.
+
+ * Show: Display this history item for review, a read-only copy of the entry will be shown.
+ * Restore: Reinstate the selected history item as the active entry details.
+ * Delete: Delete the selected history item.
+ * Delete All: Delete the entire history for this entry.
+
+.Entry history view
+image::edit_entry_history.png[]
+
+NOTE: Restoring an old history item will store the current entry settings as a new history item.
+
+// end::advanced[]
+=== Search
+KeePassXC provides a robust search that enables you to find specific entries in the databases using different modifiers, wild card characters, and logical operators. By default, search considers the following fields when matching your query: Title, Username, URL, Tags, and Notes. To include other fields and/or narrow your search to specific fields, you can use the search syntax described below.
+
+==== Modifiers and Fields
 [grid=rows, frame=none, width=70%]
 |===
 |Modifier   |Description
@@ -201,14 +270,15 @@ The following fields can be searched along with their abbreviated name in parent
 * Title (t)
 * Username (u)
 * Password (p, pw)
-* URL
+* URL (url)
 * Notes (n)
 * Attribute names and values (attr)
 * Attachment (attach)
 * Group (g)
+* Tags (tag)
 * Entry State (is:expired, is:weak)
 
-=== Wild Card Characters and Logical Operators
+==== Wild Card Characters and Logical Operators
 [grid=rows, frame=none, width=70%]
 |===
 |Wild Card Character    |Description
@@ -218,7 +288,7 @@ The following fields can be searched along with their abbreviated name in parent
 |\|	                    |Logical OR
 |===
 
-=== Sample Search Queries
+==== Sample Search Queries
 The following tables lists a few samples search queries for your reference:
 
 |===
@@ -236,63 +306,39 @@ The following tables lists a few samples search queries for your reference:
 |`+attr:mystring123`
 |Searches all additional attributes for any name OR value equal to mystring123.
 
+|`+tag:personal`
+| Search exactly for the 'personal' tag and do not include tags such as 'my personal'.
+
 |`is:expired is:weak`
 |Searches for all expired entries with weak passwords.
 |===
 
-== Advanced Entry Options
-=== Additional Attributes
-A lot of applications and web sites now require providing additional information when you create accounts. The additional information is used to block hackers if any suspicious activity is detected. In addition, the additional information you provide can be used to reset passwords if you forget them. You can also store arbitrary information here that can be copied to the clipboard or Auto-Typed using the `{S:<ATTR_NAME>}` action code.
+// tag::advanced[]
+=== Merging Databases
+KeePassXC allows you to merge entries from one database into another through the _Database_ -> _Merge From Database_ menu item. When merging, entries from the specified database will be imported into your currently open database. The merge process compares entries based on their unique identifiers (UUIDs) and modified timestamp. When an entry UUID matches, no matter which group it is in, the most recently modified version will be made the current and the previous version will be placed into the entry's history. Any new entries and/or groups will be added to the open database. This feature is useful for consolidating multiple databases or synchronizing databases from conflict files in a cloud storage system.
 
-To protect an attribute from being displayed by default, activate the _Protect_ checkbox *(A)*. To show the contents of the attribute while keeping it protected, press the _Reveal_ button *(B)*.
+NOTE: When you delete entries, a record of that deletion (the entry UUID) is stored to prevent that entry from reappearing from a merge operation. An existing entry that has the same UUID as a deleted item will be removed from the database without prompt.
 
-.Additional attributes example
-image::edit_entry_attributes.png[]
+=== Advanced Save Options
+There are three ways that KeePassXC can handle database files. This behavior is set in the Application Settings under _File Operations_.
 
-=== Attachments
-You can attach files to any entry in your database by pressing the _Add_ button *(A)*. These files are added to the database and stored as encrypted binaries. You can open, save, or delete attachments from this interface *(B)*.
+1. _(Default)_ *Safe saves* create a temporary database file alongside the existing one and atomically move it into place when all writing is complete. This prevents database corruption in the case of application crashes, loss of power, or other interruptions.
 
-NOTE: When you try to open the attached file, KeePassXC extracts the attachment to a temporary file and opens it using the default application associated with the file type. After finishing viewing or editing the file, you can choose between importing or discarding the changes that you made to the temporary file. KeePassXC securely deletes the temporary file by overwriting it.
+2. *Temporary file saves* create a database in the temporary files folder. This database is then moved into place overtop of the existing file. Although rare, interruptions in this move process could leave your database in an unknown state. This option is useful for overcoming poorly behaved cloud sync tools.
 
-.Attachments interface
-image::edit_entry_attachments.png[]
+3. *Direct-write saves* write directly to the existing database file. This is an unsafe operation since any interruption can leave your entire database inaccessible. We only recommend using this option when interfacing with Linux GVFS services (e.g. Google Cloud on Gnome) and other types of storage services that host a virtual drive system.
 
-=== Foreground and Background Color
-You can change the foreground *(A)* and/or background *(B)* color that this entry will use in the entry lists. Click the corresponding box to open the color picker dialog.
+=== Database Backup Options
+In addition to these save options, KeePassXC can create a backup of your existing database file just prior to saving. This backup will be saved at the path specified in the *Backup destination* field. This path can be absolute or relative. The latter will be resolved according to the databases path. It is possible to specify a custom naming scheme with placeholders. See <<Backup Path Placeholders, Backup Path Placeholders>> for available placeholders and examples.
 
-.Color picker dialog
-image::edit_entry_colors.png[]
+image::save_options.png[]
 
-=== Icons
-You can select an icon to be displayed with each entry for easy identification. KeePassXC comes with a set of default icons that you can use or you can use your own custom icons. If you defined a URL with an entry, you can also download the favorite icon for that particular website.
+Alternatively, backups can be created on-demand using the _Database_ -> _Save Database Backup..._ menu feature.
 
-NOTE: To delete a custom icon, go to xref:UserGuide.adoc#_database_maintenance[Database Maintenance] where you can purge unused icons and delete one or more icons at a time.
+.Saving a database backup
+image::save_database_backup.png[,40%]
 
-.Entry icon selection
-image::edit_entry_icons.png[]
-
-TIP: Each KeePass application has different default icons. If you use a mobile app or KeePass2, be aware that the default icons may not be exactly correspond to the KeePassXC icons.
-
-=== Properties
-KeePassXC lets you view the basic properties such as date and time of creation, modification, and when last accessed. This is also where you can retrieve an entry's UUID for use in references.
-
-.Entry properties view
-image::edit_entry_properties.png[]
-
-=== History
-KeePassXC maintains a history of changes you make to your entries. Each time you change an entry, KeePassXC automatically creates a backup copy of the current, non-modified entry before saving the new values. You can view the changes you made previously, restore, and delete the history of changes you made. The age of the history item, the changes that were made, and the entry's size are shown in the table view.
-
- * Show: Display this history item for review, a read-only copy of the entry will be shown.
- * Restore: Reinstate the selected history item as the active entry details.
- * Delete: Delete the selected history item.
- * Delete All: Delete the entire history for this entry.
-
-.Entry history view
-image::edit_entry_history.png[]
-
-NOTE: Restoring an old history item will store the current entry settings as a new history item.
-
-== Automatic Database Opening
+=== Automatic Database Opening
 You can setup one or more databases to open automatically when you unlock a single database. This is done by *(1)* defining a special group named `AutoOpen` with *(2)* entries that contain the file path and credentials for each database that should be opened. There is no limit to the number of databases that can be opened.
 
 TIP: Case matters with auto open, the group name must be exactly `AutoOpen` and it must be a child of the root group.
@@ -329,6 +375,7 @@ image::database_settings.png[]
  * *Database name:* This is the default identifier for your database and is shown in the tab bar and title bar (when active). You can change this name as desired.
  * *Database description:* Provide some meaningful description for your database.
  * *Default username:* Provide a default username for all new entries that you create in this database.
+ * *Public Database Metadata:* Here you can set a public (unencrypted) name, icon, and color for your database. This is used on the database unlock screen to help distinguish multiple databases from each other.
  * *Max history items:* This is the maximum number of history items that are stored for each entry. When you set this to 0, no history will be saved. Set this value to a low value to prevent the database from getting too large (we recommend no more than 10).
  * *Max. history size:* When the history of an entry gets above this size, it is truncated. For example, this happens when entries have large attachments. Set this value small to prevent the database from getting too large (we recommend 6 MiB).
  * *Use recycle bin:* Select this check-box if you want deleted entries to move to the recycle bin instead of being permanently removed. The recycle bin will be created if it does not already exist after your first deletion. To delete entries permanently, you must empty the recycle bin manually.
@@ -365,42 +412,27 @@ The following key derivation functions are supported:
 
  * Argon2 (KDBX 4 – recommended): KDBX 4, the Argon2 key derivation function can be used for transforming the composite master key (as protection against dictionary attacks). The main advantage of Argon2 over AES-KDF is that it provides a better resistance against GPU/ASIC attacks (due to being a memory-hard function). The number of iterations scales linearly with the required time. By increasing the memory parameter, GPU/ASIC attacks become harder and the required time increases. The parallelism parameter can be used to specify how many threads should be used. We recommend using Argon2id to prevent against timing-based attacks. Argon2d offers maximum compatibility with other KeePass-based apps, the default settings provide sufficient protection against any known attacks.
 
-== Database Maintenance
+=== Database Maintenance
 KeePassXC offers some maintenance features that can be applied to clean up your database. Navigate to _Database_ -> _Database settings_ then click on _Maintenance_ on the left hand panel. The following screen appears. On this screen you can delete multiple icons at once and purge any unused icons in your database.
 
 image::database_maintenance.png[]
 
-=== Creating a YubiKey backup
-It is advisable to have a backup replica YubiKey In case your main YubiKey gets damaged, lost, or stolen. The same HMAC key will need to be written to both keys. To do this you can either use the YubiKey Personalization Tool GUI or the ykpersonalize CLI tool. The steps for the CLI tool are shown:
+== Remote database support
+KeePassXC provides support for syncing database files that reside in a remote location. If you can download/upload the database file via a commandline tool (e.g. rsync, ssh, scp etc.) KeePassXC offers easy to use functionality to sync the remote database.
 
-1. Create a 20 byte HMAC key:
-+
-```
-dd status=none if=/dev/random bs=20 count=1 | xxd -p -c 40
-```
+=== Sync with remote database
+Open the remote sync settings via _Database > Database Settings… > Remote_ to create commands to sync a local database or a temporary local copy of a remote database.
 
-2. Write the HMAC key to slot 2 _(Set through the first switch. Out of the box the YubiKey OTP resides in slot 1)_:
-+
-```
-ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -oallow-update
-```
+Define a name for your sync command and specify a download *(A)* as well as an upload command *(B)*. The command and/or input need a `{TEMP_DATABASE}` placeholder specified where the remote database is temporarily stored. Do not forget to save the command settings with the save button *\(C)*. Remote settings are added as menu entries below the _Remote Sync…_ menu for quick access.
 
-You will be asked to enter the HMAC key you created earlier, copy/paste they key output in the first step. Repeat step 2 for your second YubiKey using the same HMAC key from before. We recommend storing your HMAC key in a safe place (e.g., printed on paper) in case you need to recreate another key.
+WARNING: If your download or upload command require a password prompt, the command will most likely not succeed. In case of an SSH connection (e.g. sftp), it is recommended to use <<KeePassXC – SSH Agent integration,SSH agent>> so that no password prompt is needed.
+
+.Remote sync settings
+image::sync_remote_settings.png[]
+
+Select the remote sync command from the _Database > Remote Sync…_ menu to start the syncing process and a progress bar will show up in the lower right corner.
+
+WARNING: In case the remote database is changed by another user/process after the downloading command finishes and before uploading again, those changes will be overwritten. Syncing is not an atomic operation.
 
-== Command Line Tool
-KeePassXC comes with the command line tool *keepassxc-cli* to access, view, and manipulate your database directly from a terminal window. The tool is documented through a separate man page, which can be shown using `man keepassxc-cli`, or through the on-demand help using `keepassxc-cli [command] -h`. An online version of the man page is https://github.com/keepassxreboot/keepassxc/blob/master/docs/man/keepassxc-cli.1.adoc[available on GitHub].
 // end::advanced[]
-
-== Storing a Database File
-The database file that you create might contain highly sensitive data and must be stored in a very secure way. You must make sure that the database is always protected with a strong and long password. The database file that is protected with a strong and long password is secure and encrypted while stored on your computer or cloud storage service.
-
-Make sure that you or someone else does not accidentally delete the database file. Deletion of the database file will result in the total loss of all your information (including all your passwords!) and a lot of inconvenience to manually retrieve your logins for various web applications. Do not share the credentials to access your database file with anyone unless you absolutely trust them (spouse, child, etc.).
-
-TIP: You can safely store your database file in the cloud (OneDrive, Dropbox, Google Drive, Nextcloud, Syncthing, etc.). The database file is always fully encrypted; unencrypted data is never written to disk and is never accessible to your cloud storage provider. We recommend using a storage service that keeps automatic backups (version history) of your database file in the event of corruption or accidental deletion.
-
-== Backing up a Database File
-It is a good practice to create copies of your database file and store the copies of your database on a different computer, smart phone, or cloud storage space such a Google Drive or Microsoft OneDrive. Backups can be created automatically by selecting the _Backup database file before saving_ option in the application settings. Additionally, you can create a backup on-demand using the _Database_ -> _Save Database Backup..._ menu feature.
-
-.Saving a database backup
-image::save_database_backup.png[,40%]
 // end::content[]

docs/topics/DownloadInstall.adoc

@@ -38,7 +38,7 @@ To install KeePassXC on Microsoft Windows, perform the following steps:
 .Install wizard
 image::install_wizard_1.png[,80%]
 
-2. Click Next and follow the simple instructions on the KeepPassXC Setup Wizard to complete the installation. You will have the option to choose your install location, add a desktop shortcut, and launch on startup.
+2. Click Next and follow the simple instructions on the KeePassXC Setup Wizard to complete the installation. You will have the option to choose your install location, add a desktop shortcut, and launch on startup.
 +
 .Install wizard (cont)
 image::install_wizard_2.png[,80%]
@@ -59,7 +59,7 @@ image::linux_store.png[]
 
 The Snap and Flatpak options are sandboxed applications (more secure). The Native option is installed with the operating system files. Read more about the limitations of these options here: https://keepassxc.org/docs/#faq-appsnap-yubikey[KeePassXC Snap FAQ]
 
-NOTE: KeePassXC stores a configuration file in `~/.cache` to remember window position, recent files, and other local settings. If you mount this folder to a tmpdisk you will lose settings after reboot.
+NOTE: KeePassXC stores a configuration file in `~/.local/state` to remember window position, recent files, and other local settings. If you mount this folder to a tmpdisk you will lose settings after reboot.
 
 === macOS
 To install the KeePassXC app on macOS, double click on the downloaded DMG file and use the click and drag option as shown:

docs/topics/ImportExport.adoc

@@ -3,14 +3,16 @@ include::.sharedheader[]
 :imagesdir: ../images
 
 // tag::content[]
-== Importing External Databases
+== Importing Databases
 KeePassXC allows you to import external databases from the following options:
 
 * Comma Separated Values (.csv)
 * 1Password Export (.1pux)
 * 1Password Vault (.opvault)
 * Bitwarden (.json)
+* Proton Pass (.json)
 * KeePass 1 Database (.kdb)
+* Remote database (.kdbx)
 
 To import any of these files, start KeePassXC and either click the `Import File` button on the welcome screen or use the menu Database > Import... to launch the Import Wizard.
 
@@ -31,14 +33,17 @@ image::csv_import.png[]
 
 3. Click `Done` to complete the import. If you chose to create a new database, the New Database dialog will appear. Otherwise your entries will be nested under the group you chose for the existing database.
 
-=== Importing 1Password Export
+=== Importing from Other Applications
+KeePassXC allows you to import databases from various applications including 1Password (1PUX and OPVault), Bitwarden, and Proton Pass. Each import option involves selecting the file, providing necessary credentials (if required), and choosing to import into a new or existing database. Note that CSV, 1Password Export, Bitwarden, and Proton Pass files are unencrypted and should be securely deleted after import.
+
+==== 1Password Export
 WARNING: A 1Password Export file is unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
 
 1. Open the Import Wizard as shown above. Select the 1Password Export option.
 
 2. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
-=== Importing 1Password OPVault
+==== 1Password OPVault
 NOTE: You must have 1Password version 7 or 8 to export your data to an OPVault. If you are using a newer version of 1Password, you should use the 1Password Export (1PUX) format instead.
 
 Save your 1Password Vault locally to create an OPVault directory. Please see 1Password instructions on how to do this. Once an OPVault is created, perform the following steps:
@@ -47,7 +52,7 @@ Save your 1Password Vault locally to create an OPVault directory. Please see 1Pa
 
 2. Enter the password for your vault and click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
-=== Importing Bitwarden
+==== Bitwarden
 WARNING: A Bitwarden Export file may be unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
 
 1. Open the Import Wizard as shown above. Select the Bitwarden option.
@@ -56,6 +61,13 @@ WARNING: A Bitwarden Export file may be unencrypted and you should securely dele
 
 3. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
+==== Proton Pass
+WARNING: A Proton Pass Export file is unencrypted and you should securely delete this file after successfully importing it into KeePassXC.
+
+1. Open the Import Wizard as shown above. Select the Proton Pass option.
+
+2. Click `Continue` to preview the import. Click `Done` to complete the import.
+
 === Importing KeePass 1 Database
 KeePass 1 database is an older format of the database created using a legacy version of KeePass. KeePassXC lets your import this older format of the database and you can seamlessly start using this database in your new KeePassXC application.
 
@@ -67,9 +79,26 @@ To import a KeePass 1 database file in KeePassXC, perform the following steps:
 
 3. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
 
+=== Importing Remote Database
+Database files that are stored in a remote location can be imported or opened with KeePassXC if you provide a command to download the file from the remote location.
+
+To import (or temporarily open) a remote database file in KeePassXC, perform the following steps:
+
+1. Open the Import Wizard as shown above. Select the Remote Database option.
+
+2. Enter a command to download the remote database. If necessary, enter input that needs to be passed to the command. The command and/or input need a `{TEMP_DATABASE}` placeholder specified where the remote database is temporarily stored.
+
+3. Enter the password for your database and optionally provide a key file.
+
+4. Click `Continue` to unlock and preview the import. Click `Done` to complete the import.
+
+Opening without importing a remote database is possible by selecting Temporary Database in the Import Into section of the wizard.
+
 == Exporting Databases
 KeePassXC supports multiple ways to export your database for transfer to another program or to print out and archive.
 
+WARNING: These exports do not contain all the information in your database due to various limitations in the export format. For example, the CSV export does not support attachments, advanced attributes, Auto-Type settings, or custom icons. The XML export does not support attachments. The HTML export is mainly for printing and does not support attachments and some custom data fields.
+
 WARNING: Exporting your database will result in all of your passwords and sensitive information being stored in an unencrypted format. We do not recommend saving your exported database for long periods of time as that can cause a compromise of sensitive information.
 
 .Database export menu

docs/topics/KeeShare.adoc

@@ -16,7 +16,7 @@ To use sharing, you need to enable it for the application.
 .KeeShare Application Settings
 image::keeshare_application_settings.png[]
 
-=== Sharing Credentials
+=== Setup a Shared Group
 If you checked _Allow export_ in the Sharing settings you can now share a group of passwords. Sharing is always defined on a particular group. If you enable sharing on a group, every entry under this group, and its children, are shared. If you enable sharing on the root node, **every password** inside your database gets shared!
 
 NOTE: KeeShare does not synchronize group structure after the initial share is created. At this time, KeeShare operates at the entry level; shared entries moved outside of a shared group are still synchronized.

docs/topics/KeyboardShortcuts.adoc

@@ -3,51 +3,64 @@ include::.sharedheader[]
 :imagesdir: ../images
 
 // tag::content[]
-NOTE: On macOS please substitute `Ctrl` with `Cmd` (aka `⌘`).
+NOTE: On macOS please substitute kbd:[Ctrl] with kbd:[Cmd] (AKA kbd:[⌘]).
 
 [grid=rows, frame=none, width=75%]
 |===
-|Action                       | Keyboard Shortcut
+|Action                          | Keyboard Shortcut
 
-|Settings                     | Ctrl + ,
-|Open Database                | Ctrl + O
-|Save Database                | Ctrl + S
-|Save Database As             | Ctrl + Shift + S
-|New Database                 | Ctrl + Shift + N
-|Close Database               | Ctrl + W ; Ctrl + F4
-|Lock All Databases           | Ctrl + L
-|Database Settings            | Ctrl + Shift + ,
-|Database Reports             | Ctrl + Shift + R
-|Quit                         | Ctrl + Q
-|New Entry                    | Ctrl + N
-|Edit Entry                   | Enter ; Ctrl + E
-|Delete Entry                 | Delete
-|Clone Entry                  | Ctrl + K
-|Copy Username                | Ctrl + B
-|Copy Password                | Ctrl + C
-|Copy URL                     | Ctrl + U
-|Open URL                     | Ctrl + Shift + U
-|Copy TOTP                    | Ctrl + T
-|Copy Password and TOTP       | Ctrl + Y
-|Show TOTP                    | Ctrl + Shift + T
-|Trigger AutoType             | Ctrl + Shift + V
-|Add key to SSH Agent         | Ctrl + H
-|Remove key from SSH Agent    | Ctrl + Shift + H
-|Move entry up (if unsorted)   | Ctrl + Alt + Up
-|Move entry down (if unsorted) | Ctrl + Alt + Down
-|Sort Groups A-Z              | Ctrl + Down
-|Sort Groups Z-A              | Ctrl + Up
-|Minimize Window              | Ctrl + M
-|Hide Window                  | Ctrl + Shift + M
-|Select Next Database Tab     | Ctrl + Tab ; Ctrl + PageDn
-|Select Previous Database Tab | Ctrl + Shift + Tab ; Ctrl + PageUp
-|Select the nth database      | Ctrl + n, where n is the number of the database tab
-|Toggle Passwords Hidden      | Ctrl + Shift + C
-|Toggle Usernames Hidden      | Ctrl + Shift + B
-|Focus Groups (edit if focused)  | F1
-|Focus Entries (edit if focused) | F2
-|Focus Search                 | F3 ; Ctrl + F
-|Clear Search                 | Escape
-|Show Keyboard Shortcuts      | Ctrl + /
+|Settings                        | kbd:[Ctrl + ,]
+|Open Database                   | kbd:[Ctrl + O]
+|Save Database                   | kbd:[Ctrl + S]
+|Save Database As                | kbd:[Ctrl + Shift + S]
+|New Database                    | kbd:[Ctrl + Shift + N]
+|Close Database                  | kbd:[Ctrl + W] +
+_or_ +
+kbd:[Ctrl + F4]
+|Lock Current Database           | kbd:[Ctrl + L]
+|Lock All Databases              | kbd:[Ctrl + Shift + L]
+|Database Settings               | kbd:[Ctrl + Shift + ,]
+|Database Reports                | kbd:[Ctrl + Shift + R]
+|Quit                            | kbd:[Ctrl + Q]
+|New Entry                       | kbd:[Ctrl + N]
+|Edit Entry                      | kbd:[Enter] +
+_or_ +
+kbd:[Ctrl + E]
+|Delete Entry                    | kbd:[Del]
+|Clone Entry                     | kbd:[Ctrl + D]
+|Copy Username                   | kbd:[Ctrl + B]
+|Copy Password                   | kbd:[Ctrl + C]
+|Copy URL                        | kbd:[Ctrl + U]
+|Open URL                        | kbd:[Ctrl + Shift + U]
+|Copy TOTP                       | kbd:[Ctrl + T]
+|Copy Password and TOTP          | kbd:[Ctrl + Y]
+|Show TOTP                       | kbd:[Ctrl + Shift + T]
+|Trigger AutoType                | kbd:[Ctrl + Shift + V]
+|Add key to SSH Agent            | kbd:[Ctrl + H]
+|Remove key from SSH Agent       | kbd:[Ctrl + Shift + H]
+|Jump to Group (from search)     | kbd:[Ctrl + Shift + J]
+|Move entry up (if unsorted)     | kbd:[Alt + Up]
+|Move entry down (if unsorted)   | kbd:[Alt + Down]
+|Sort Groups A-Z                 | kbd:[Ctrl + Down]
+|Sort Groups Z-A                 | kbd:[Ctrl + Up]
+|Minimize Window                 | kbd:[Ctrl + M]
+|Hide Window                     | kbd:[Ctrl + Shift + M]
+|Select Next Database Tab        | kbd:[Ctrl + Tab] +
+_or_ +
+kbd:[Ctrl + PgDn]
+|Select Previous Database Tab    | kbd:[Ctrl + Shift + Tab] +
+_or_ +
+kbd:[Ctrl + PgUp]
+|Select the nth database         | kbd:[Ctrl + <n>], where kbd:[<n>] is the number of the database tab
+|Toggle Passwords Hidden         | kbd:[Ctrl + Shift + C]
+|Toggle Usernames Hidden         | kbd:[Ctrl + Shift + B]
+|Focus Groups (edit if focused)  | kbd:[F1]
+|Focus Entries (edit if focused) | kbd:[F2]
+|Focus Search                    | kbd:[F3] +
+_or_ +
+kbd:[Ctrl + F]
+|Clear Search                    | kbd:[Esc]
+|Show Keyboard Shortcuts         | kbd:[Ctrl + /]
 |===
 // end::content[]
+

docs/topics/Passkeys.adoc

@@ -5,56 +5,56 @@ include::.sharedheader[]
 // tag::content[]
 == Passkeys
 
-Passkeys are a secure way for replacing passwords that is supported by all major browser vendors and an increasing number of websites. For more information on what Passkeys are and how they work, please go to the FIDO Alliance's documentation: https://fidoalliance.org/passkeys/
+Passkeys are a secure way for replacing passwords that is supported by all major browser vendors and an increasing number of websites. For more information on what passkeys are and how they work, please go to the FIDO Alliance's documentation: https://fidoalliance.org/passkeys/
 
-=== Enabling Passkey Support
+=== Browser Passkey Support
 
-KeePassXC supports Passkeys directly through the Browser Integration service. Passkeys are only supported with the use of the KeePassXC Browser Extension and a properly connected database. To enable Passkey support on the extension, you must check the _Enable Passkeys_ option in the extension settings page.
+KeePassXC supports passkeys directly through the Browser Integration service. Passkeys are only supported with the use of the KeePassXC Browser Extension and a properly connected database. To enable passkey support on the extension, you must check the _Enable Passkeys_ option in the extension settings page.
 
 .Enable Passkey Support in the KeePassXC Browser Extension
 image::passkeys_enable_from_extension.png[,75%]
 
-Optionally, you can disable falling back to the built-in Passkey support from your browser and operating system. If left enabled, the extension will show the default Passkey dialogs if KeePassXC cannot handle the request or the request is canceled.
+Optionally, you can disable falling back to the built-in passkey support from your browser and operating system. If left enabled, the extension will show the default passkey dialogs if KeePassXC cannot handle the request or the request is canceled.
 
 === Create a New Passkey
 
-Creating a new Passkey and authenticating with it is a simple process. This workflow will be demonstrated using GitHub as an example site. Please note that GitHub allows two use cases for Passkeys, one for 2FA only and the other for replacement of username and password entirely. We will be configuring the latter use case in this example.
+Creating a new passkey and authenticating with it is a simple process. This workflow will be demonstrated using GitHub as an example site. Please note that GitHub allows two use cases for passkeys, one for 2FA only and the other for replacement of username and password entirely. We will be configuring the latter use case in this example.
 
-After navigating to GitHub's _Settings_ -> _Password and authentication_, there is a separate section shown for Passkeys.
+After navigating to GitHub's _Settings_ -> _Password and authentication_, there is a separate section shown for passkeys.
 
 .GitHub's Passkey Registration
 image::passkeys_github_1.png[]
 
-After clicking the _Add a Passkey_ button, the user is redirected to another page showing the actual configuration option.
+After clicking the _Add a passkey_ button, the user is redirected to another page showing the actual configuration option.
 
 .Configure Passwordless Authentication
 image::passkeys_github_2.png[,50%]
 
-Clicking the _Add Passkey_ button now shows the following popup dialog for the user, asking confirmation for creating a new Passkey.
+Clicking the _Add passkey_ button now shows the following popup dialog for the user, asking confirmation for creating a new passkey.
 
 .Passkey Registration Confirmation Dialog
 image::passkeys_register_dialog.png[,30%]
 
-After the Passkey has been registered, a new entry is created to the database under _KeePassXC-Browser Passwords_ with _(Passkey)_  added to the entry title. The entry holds additional attributes that are used for authenticating the Passkey.
+After the passkey has been registered, a new entry is created to the database under _KeePassXC-Browser Passwords_ with _(passkey)_  added to the entry title. The entry holds additional attributes that are used for authenticating the passkey.
 
-After registration, GitHub will ask a name for the Passkey. This is only relevant for the server.
+After registration, GitHub will ask a name for the passkey. This is only relevant for the server.
 
 .GitHub's Passkey Nickname
 image::passkeys_github_3.png[,50%]
 
-Now the Passkey should be shown on the GitHub's Passkey section.
+Now the passkey should be shown on the GitHub's passkey section.
 
 .Registered Passkeys on GitHub
 image::passkeys_github_4.png[]
 
 === Login With a Passkey
 
-The Passkey created in the previous section can now be used to login to GitHub. Instead of logging in with normal credentials, choose _Sign in with a passkey_ at the bottom of GitHub's login page.
+The passkey created in the previous section can now be used to login to GitHub. Instead of logging in with normal credentials, choose _Sign in with a passkey_ at the bottom of GitHub's login page.
 
 .GitHub's login page with a Passkey option
 image::passkeys_github_5.png[,50%]
 
-After clicking the button, KeePassXC-Browser detects the Passkeys authentication and KeePassXC shows the following dialog for confirmation.
+After clicking the button, KeePassXC-Browser detects the passkeys authentication and KeePassXC shows the following dialog for confirmation.
 
 .Passkey authentication confirmation dialog
 image::passkeys_authentication_dialog.png[,50%]
@@ -66,36 +66,36 @@ After confirmation user is now authenticated and logged into GitHub.
 
 ==== Multiple Passkeys for a Site
 
-Multiple Passkeys can be created for a single site. When registering a new Passkey with a different username, KeePassXC shows an option to register a new Passkey or update the previous one. Updating a Passkey will override the existing entry, so this option should be only used when actually needed.
+Multiple passkeys can be created for a single site. When registering a new passkey with a different username, KeePassXC shows an option to register a new passkey or update the previous one. Updating a passkey will override the existing entry, so this option should be only used when actually needed.
 
 .Passkey authentication confirmation dialog
 image::passkeys_update_dialog.png[,50%]
 
 ==== Exporting Passkeys
 
-All Passkeys in a database can be viewed and accessed from the _Database_ -> _Passkeys..._ menu item. The page shows both _Import_ and _Export_ buttons for Passkeys.
+All passkeys in a database can be viewed and accessed from the _Database_ -> _Passkeys..._ menu item. The page shows both _Import_ and _Export_ buttons for passkeys.
 
 .Passkeys Overview
 image::passkeys_all_passkeys.png[]
 
-After selecting one or more entries, the following dialog is shown. One or multiple Passkeys can be selected for export from the previously selected list of entries.
+After selecting one or more entries, the following dialog is shown. One or multiple passkeys can be selected for export from the previously selected list of entries.
 
 .Passkeys Export Dialog
 image::passkeys_export_dialog.png[,65%]
 
-Exported Passkeys are stored in JSON format using the `.passkey` file extension. The file includes all relevant information for importing a Passkey to another database or saving a backup. 
+Exported passkeys are stored in JSON format using the `.passkey` file extension. The file includes all relevant information for importing a passkey to another database or saving a backup. 
 
-WARNING: The exported Passkey file is unencrypted and should be securely stored.
+WARNING: The exported passkey file is unencrypted and should be securely stored.
 
 ==== Importing Passkeys
 
-An exported Passkey can be imported directly to a database or to an entry. To import directly, use the _Database_ -> _Import Passkey_ menu item.
-When right-clicking an entry, a separate menu item for _Import Passkey_ is shown. This is useful if user wants to import a previously created Passkey to an existing entry.
+An exported passkey can be imported directly to a database or to an entry. To import directly, use the _Database_ -> _Import Passkey_ menu item.
+When right-clicking an entry, a separate menu item for _Import Passkey_ is shown. This is useful if user wants to import a previously created passkey to an existing entry.
 
 .Import Passkey to an Entry
 image::passkeys_import_passkey_to_entry.png[,50%]
 
-After selecting a Passkey file to import, a separate dialog is shown where you can select which database, group, and entry to target. By default, the group is set to _Imported Passkeys_. The default action is to create a new entry that contains the imported Passkey.
+After selecting a passkey file to import, a separate dialog is shown where you can select which database, group, and entry to target. By default, the group is set to _Imported Passkeys_. The default action is to create a new entry that contains the imported passkey.
 
 .Passkey import dialog
 image::passkeys_import_dialog.png[,65%]

docs/topics/PasswordGenerator.adoc

@@ -19,9 +19,8 @@ image::password_generator.png[]
 
 3. Select the length of the desired password by dragging the Length slider.
 4. Select the character-sets that you want to include in your password.
-5. Use the regenerate button (Ctrl + R) to make a new password using the chosen options.
-6. Use the clipboard button (Ctrl + C) to copy the generated password to the clipboard.
-// tag::advanced[]
+5. Use the regenerate button (kbd:[Ctrl + R]) to make a new password using the chosen options.
+6. Use the clipboard button (kbd:[Ctrl + C]) to copy the generated password to the clipboard.
 7. Click the Advanced button to specify additional conditions for your desired password.
 +
 .Advanced Password Generator Options
@@ -40,7 +39,6 @@ Word Count slider.
 3. In the Word Separator field, enter a character, word, number, or space that you want to use as a separator between the words in your passphrase.
 4. _(Optional)_ You can choose a word case between lower, upper, and title case options.
 5. _(Optional)_ You can also load your own custom word lists. Click the plus sign button to the right of the wordlist selection dialog to choose a custom word list. You can download alternative lists from the https://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases[EFF's Website] or from https://github.com/redacted/XKCD-password-generator#additional-languages[GitHub].
-6. Click the Regenerate button (Ctrl + R) to generate a new random passphrase.
-7. Click the Clipboard button (Ctrl + C) to copy the passphrase to the clipboard.
-// end::advanced[]
+6. Click the Regenerate button (kbd:[Ctrl + R]) to generate a new random passphrase.
+7. Click the Clipboard button (kbd:[Ctrl + C]) to copy the passphrase to the clipboard.
 // end::content[]

docs/topics/Reference.adoc

@@ -18,6 +18,8 @@ This section contains full details on advanced features available in KeePassXC.
 |{NOTES}         |Notes
 |{TOTP}          |Current TOTP value (if configured)
 |{S:<ATTRIBUTE_NAME>}   |Value for the given attribute (case sensitive)
+|{T-CONV:/<PLACEHOLDER>/<METHOD>/} |Text conversion for resolved placeholder (eg, {USERNAME}) using the following methods: UPPER, LOWER, BASE64, HEX, URI, URI-DEC
+|{T-REPLACE-RX:/<PLACEHOLDER>/<REGEX>/<REPLACE>/} |Use a regular expression to find and replace data from a resolved placeholder (eg, {USERNAME}). Refer to match groups using $1, $2, etc.
 |{URL:RMVSCM}	        |URL without scheme (e.g., https)
 |{URL:WITHOUTSCHEME}	|URL without scheme
 |{URL:SCM}	     |URL Scheme
@@ -47,6 +49,8 @@ This section contains full details on advanced features available in KeePassXC.
 |{DB_DIR}	     |Absolute directory path of database file
 |===
 
+NOTE: You can insert literal placeholder strings by escaping the beginning and ending curly braces. For example, to insert the string `{USERNAME}`, you would type `++\{USERNAME\}++`.
+
 === Entry Cross-Reference
 A reference to another entry's field is possible using the shorthand syntax:
 `{REF:<FIELD>@<SEARCH_IN>:<SEARCH_TEXT>}`
@@ -75,8 +79,8 @@ Examples: +
 |Press the corresponding keyboard key
 
 |{UP}, {DOWN}, {LEFT}, {RIGHT}  |Press the corresponding arrow key
-|{F1}, {F2}, ..., {F16}         |Press F1, F2, etc.
-|{LEFTBRACE}, {RIGHTBRACE}      |Press `{` or `}`, respectively
+|{F1}, {F2}, ..., {F16}         |Press kbd:[F1], kbd:[F2], etc.
+|{LEFTBRACE}, {RIGHTBRACE}      |Press kbd:[{] or kbd:[}], respectively
 |{<KEY> X}  |Repeat <KEY> X times (e.g., {SPACE 5} inserts five spaces)
 |{DELAY=X}     |Set delay between key presses to X milliseconds
 |{DELAY X}     |Pause typing for X milliseconds
@@ -88,10 +92,10 @@ Examples: +
 |===
 |Modifier |Description
 
-|+        |SHIFT
-|^        |CTRL
-|%        |ALT
-|#        |WIN/CMD
+|+        |kbd:[Shift]
+|^        |kbd:[Ctrl]
+|%        |kbd:[Alt]
+|#        |kbd:[Win]/kbd:[Cmd]
 |===
 *Text Conversions:*
 
@@ -124,5 +128,21 @@ Use regular expressions to find and replace data from a resolved placeholder. Re
 `C:\Backups\MyDatabase\01-05-2022.kdbx`
 |===
 
+=== Creating a YubiKey backup
+It is advisable to have a backup replica YubiKey In case your main YubiKey gets damaged, lost, or stolen. The same HMAC key will need to be written to both keys. To do this you can either use the YubiKey Personalization Tool GUI or the ykpersonalize CLI tool. The steps for the CLI tool are shown:
+
+1. Create a 20 byte HMAC key:
++
+```
+dd status=none if=/dev/random bs=20 count=1 | xxd -p -c 40
+```
+
+2. Write the HMAC key to slot 2 _(Set through the first switch. Out of the box the YubiKey OTP resides in slot 1)_:
++
+```
+ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -oallow-update
+```
+
+You will be asked to enter the HMAC key you created earlier, copy/paste they key output in the first step. Repeat step 2 for your second YubiKey using the same HMAC key from before. We recommend storing your HMAC key in a safe place (e.g., printed on paper) in case you need to recreate another key.
 
 // end::content[]

docs/topics/SSHAgent.adoc

@@ -3,12 +3,12 @@ include::.sharedheader[]
 :imagesdir: ../images
 
 // tag::content[]
-== SSH Agent integration
+== SSH Agent Integration
 SSH (Secure Shell) is a widely used remote secure shell protocol and is considered an industry standard for secure remote access to UNIX-like systems including Linux, BSDs, macOS and more recently even Windows received native support. SSH supports multiple types of authentication and the most widely used ones are either interactive keyboard input with a password or a public-key cryptography pair of keys.
 
 KeePassXC SSH Agent integration is built to manage SSH keys in a secure manner by either storing them completely within your KeePassXC database or by having only the decryption key of a key file that is stored elsewhere. SSH Agent integration _does not_ provide an agent itself but works as a client for any agent implementation that is OpenSSH compatible.
 
-=== OpenSSH agent on Linux
+=== OpenSSH Agent on Linux
 If you are using a modern desktop Linux distribution it is very likely the OpenSSH agent is already configured and running when you have logged in to a graphical desktop session.
 This should be true for distributions like Debian, Ubuntu (including Kubuntu, Xubuntu and Lubuntu), Linux Mint, Fedora, ElementaryOS and Manjaro.
 
@@ -32,10 +32,10 @@ WARNING: _GNOME Keyring_ prior to release 3.27.92 had its own custom implementat
 It does not support any constraints you may want to configure for an added key.
 If you are running a modern distribution the custom agent has been removed and replaced with the stock OpenSSH agent which is feature complete.
 
-=== OpenSSH agent on macOS
+=== OpenSSH Agent on macOS
 Apple has made OpenSSH an integrated part of macOS with automatic agent startup when it is first used. No further configuration is needed.
 
-=== OpenSSH agent and Pageant on Windows
+=== OpenSSH Agent and Pageant on Windows
 The SSH Agent integration on Windows supports both _PuTTY Pageant_ and _OpenSSH for Windows 10_.
 Since Pageant is currently still the most widely used implementation and is easily installable on any version of Windows, it is the default on KeePassXC.
 However, Microsoft includes a native OpenSSH client implementation with Windows 10 since autumn 2018 that can be used instead. If you would like to self-manage your OpenSSH version you can use the builds offered via their official https://github.com/powershell/Win32-OpenSSH[GitHub repository].
@@ -61,7 +61,7 @@ Alternatively, you can use a _Windows PowerShell_ running as _Administrator_ to
 
 KeePassXC and other compatible tools can now use the Windows OpenSSH agent. To use it with KeePassXC, update the settings explained in <<Setting up SSH Agent integration>>.
 
-=== Setting up SSH Agent integration
+=== Setup SSH Agent Integration
 By default the SSH Agent integration plugin is disabled.
 To enable integration, follow the steps below to access the settings:
 
@@ -78,10 +78,10 @@ On Windows, you have the option to select _Pageant_ and/or _OpenSSH for Windows_
 
 If the value of _SSH_AUTH_SOCK_ is empty it means the agent is not properly configured and KeePassXC will be unable to connect to it unless you provide a static override path to the socket.
 
-=== Generating a key to use with KeePassXC
+=== Generating an SSH Key
 KeePassXC only supports keys in the _OpenSSH_ format. On Windows, _PuTTYgen_ saves keys in its own format by default and you will need to convert them to OpenSSH format before being used. In this guide we are going to generate a standard RSA key in the default size.
 
-==== Generating a key on Linux or macOS with _ssh-keygen_
+==== Generating a key on Linux or macOS
 Open a terminal window and type the following command to generate a key:
 
     $ ssh-keygen -o -f keepassxc -C johndoe@example
@@ -116,13 +116,13 @@ With KeePassXC you only need the first file listed.
 ==== Generating a key on Windows
 On Windows you can generate key pairs with _PuTTYgen_ and with _ssh-keygen_, depending on whether you installed PuTTY and your Windows version.
 
-===== Using _PuTTYgen_
+===== Using PuTTYgen
 Please read the manual on how to use _PuTTYgen_ for details on generate a key: https://the.earth.li/~sgtatham/putty/0.74/htmldoc/Chapter8.html#pubkey-puttygen. Once generated, you must save the key in the new OpenSSH format, see image below.
 
 .Generating a key with _PuTTYgen_
 image::sshagent_puttygen.png[,70%]
 
-===== Using _ssh-keygen_
+===== Using ssh-keygen
 Open _Command Prompt_ or _Windows PowerShell_ and type the following command to generate a key:
 
     PS C:\Users\user> ssh-keygen.exe -o -f keepassxc -C johndoe@example
@@ -159,7 +159,7 @@ Now we can see two files were generated:
 
 With KeePassXC you only need the first file listed.
 
-=== Configuring an entry to use SSH Agent
+=== Adding SSH Key to an Entry
 The last step is to setup an entry to contain the SSH Agent settings and key file you generated.
 
 1. Create a new entry, or open an existing entry in edit mode.

docs/topics/SecretService.adoc

@@ -0,0 +1,48 @@
+= KeePassXC – Secret Service Integration
+include::.sharedheader[]
+:imagesdir: ../images
+
+// tag::content[]
+== Secret Service Integration
+This feature allows KeePassXC to act as a Secret Service provider over DBus. It enables applications to store and retrieve secrets securely via the https://www.freedesktop.org/wiki/Specifications/secret-storage-spec/[Secret Storage specification]. While running, KeePassXC acts as a Secret Service server registered on DBus so clients like seahorse, python-secretstorage, secret-tool, or other implementations can connect and access the exposed database in KeePassXC.
+
+=== Enabling the Integration
+Only one secret service provider can be enabled at a time. You may have to disable other providers, such as GNOME Keyring or KWallet, to use KeePassXC as a secret service provider. You will see a notice when attempting to enable KeePassXC as the secret service provider if another is already running.
+
+To replace most third party secret service providers with KeePassXC, run the following shell snippet:
+
+```bash
+mkdir -p "${XDG_DATA_HOME:-${HOME}/.local/share}/dbus-1/services"
+cat > "${XDG_DATA_HOME:-${HOME}/.local/share}/dbus-1/services/org.freedesktop.secrets.service" <<EOF
+[D-BUS Service]
+Name=org.freedesktop.secrets
+Exec=/usr/bin/keepassxc
+EOF
+```
+
+NOTE: You may need to restart your session or log out and back in for the changes to take effect.
+
+1. Open KeePassXC → **Tools → Settings → Secret Service Integration** → check **Enable KeePassXC Freedesktop.org Secret Service Integration**. Then press OK to save this setting and enable the integration. Go back into this settings screen to see currently open databases that you can unlock and edit their exposure to secret service.
++
+.Secret Service Settings
+image::secretservice_enable_settings.png[]
+
+2. Either click the pencil icon in the previous settings screen, or go to **Database → Database Settings → Secret Service Integration**. Enable **Expose entries under this group**, and select the desired group. All entries within this group and all subgroups will be exposed to the service.
++
+.Secret Service Database Settings
+image::secretservice_database_settings.png[]
+
+3. Use apps that integrate with secret service to start saving and using credentials within KeePassXC. If you enabled confirmation prior to access, you will see the following dialog:
++
+.Secret Service Access Confirmation Dialog
+image::secretservice_access_dialog.png[]
+
+TIP: When applications use `secret-tool` and you have access confirmation enabled, then you will be prompted each time credentials are requested. This is due to `secret-tool` obtaining a new process id each time it is run.
+
+=== Implementation Details
+
+* The user can specify the database and group that is exposed to the service.
+* Desktop notifications when a secret is retrieved and access confirmation dialogs.
+* `FdoSecrets::Service` is the top level DBus service. There is one  `FdoSecrets::Collection` per opened database tab and each entry under the exposed database group has a corresponding `FdoSecrets::Item` DBus object.
+* The following entry attributes are exposed to the secret service: Title, Username, Password, URL, Notes, TOTP, and non-protected Custom Attributes.
+// end::content[]

docs/topics/UserInterface.adoc

@@ -12,13 +12,22 @@ image::main_interface.png[]
 
 *(A) Groups* – Organize your entries into discrete groups to bring order to all of your sensitive information. Groups can be nested under each other to create a hierarchy. Settings from parent groups get applied to their children. You can hide this panel on the View menu.
 
-*(B) Tags* – Dynamic groups of entries that can be quickly displayed with one click. Any number of custom tags can be added when editing an entry. This panel also includes useful pre-defined searches, such as finding expired and weak passwords.
+*(B) Searches and Tags* – Dynamic groups of entries that can be quickly displayed with one click. Any number of custom tags can be added when editing an entry. This panel also includes useful pre-defined and custom saved searches, such as finding expired and weak passwords.
 
-*\(C) Entries* – Entries contain all the information you want to store for a website or application you are storing in KeePassXC. This view shows all the entries in the selected group. Each column can be resized, reordered, and shown or hidden based on your preference. Right-click the header row to see all available options.
+*\(C) Entries* – Entries contain all the information for a website or application you are storing in KeePassXC. This view shows all the entries in the selected group. Each column can be resized, reordered, and shown or hidden based on your preference. Right-click the header row to see all available options.
 
-*(D) Preview* – Shows a preview of the selected group or entry. You can temporarily hide this preview using the close button on the right hand side or completely disabled in the application settings.
+*(D) Preview* – Shows a preview of the selected group or entry. You can interact with most information stored in an entry from here without opening the entry for editing. You can temporarily hide this preview using the down-arrow button on the right hand side or completely disable it from the View menu.
 
-TIP: You can enable double-click copying of entry username and password in the Application Security Settings. This is turned off by default starting with version 2.7.0.
+[TIP]
+====
+Starting with version 2.7.0, double-click copying of entry usernames and passwords is disabled by default.
+
+To enable it:
+
+. Open *KeePassXC*, and navigate to *Tools* → *Settings*.
+. In the left sidebar, select *General*.
+. Under *Entry Management*, check the box for _"Copy data on double clicking field in entry view"_.
+====
 
 === Toolbar
 The toolbar provides a quick way to perform common tasks with your database. Some entries in the toolbar are dynamically disabled based on the information contained in the selected entry. Every common action in KeePassXC can be controlled with a keyboard shortcut as well.
@@ -29,13 +38,17 @@ image::toolbar.png[]
 *(A) Database* – Open Database, Save Database, Lock Database +
 *(B) Entries* – Create Entry, Edit Entry, Delete Selected Entries +
 *\(C) Entry Data* – Copy Username, Copy Password, Copy URL, Perform Auto-Type +
-*(D) Tools* – Password Generator, Application Settings +
+*(D) Tools* – Database Settings, Reports, Password Generator, Application Settings +
 *(E) Search*
 
-=== Application Settings
-Users can configure KeePassXC to their personal tastes with a wide variety of general and security settings that apply to the whole application. These settings are accessible from _Tools_ -> _Settings_ or the cog wheel icon from the toolbar. Settings include: startup options, file management, entry management, user interface, language, security timeouts, and convenience.
+=== Screenshot Security
+By default, KeePassXC prevents recordings and screenshots of the application window on Windows and macOS. This prevents inadvertent spillage of information during meetings and disallows other applications to capture the window contents. If you would like to enable screen capture temporarily, navigate to _View_ menu and select _Allow Screen Capture_. Alternatively, you can start the application with the `--allow-screencapture` command line flag.
 
-==== Setting the Theme
+
+=== View Options
+You can customize the appearance of KeePassXC to your liking. The following options are available in the _View_ menu:
+
+==== Themes
 KeePassXC ships with light and dark themes specifically designed to meet accessibility standards. In most cases, the appropriate theme for your system will be determined automatically, but you can always set a specific theme by using the _View_ menu. When a new theme is selected you will be prompted to restart KeePassXC to apply the theme immediately.
 
 .Setting the theme
@@ -47,8 +60,8 @@ For users with smaller screens or those who desire seeing more entries at once,
 .Compact mode comparison
 image::compact_mode_comparison.png[]
 
-=== Screenshot Security
-By default, KeePassXC prevents recordings and screenshots of the application window on Windows and macOS. This prevents inadvertent spillage of information during meetings and disallows other applications to capture the window contents. If you would like to enable screen capture, you must start the application with the `--allow-screencapture` command line flag.
+=== Application Settings
+Users can configure KeePassXC to their personal tastes with a wide variety of general and security settings that apply to the whole application. These settings are accessible from _Tools_ -> _Settings_ or the cog wheel icon from the toolbar. Settings include: startup options, file management, entry management, user interface, language, security controls, and integration settings (Auto-Type, Browser, etc).
 
 === Keyboard Shortcuts
 include::KeyboardShortcuts.adoc[tag=content, leveloffset=+1]
@@ -77,6 +90,7 @@ Arguments:
   filename(s)                  filenames of the password databases to open (*.kdbx)
 ----
 
+=== Environment Variables
 Additionally, the following environment variables may be useful when running the application:
 
 [grid=rows, frame=none, width=75%]
@@ -91,5 +105,17 @@ Additionally, the following environment variables may be useful when running the
 |QT_SCREEN_SCALE_FACTORS [list] | Specifies scale factors for each screen. See https://doc.qt.io/qt-5/highdpi.html#high-dpi-support-in-qt
 |QT_SCALE_FACTOR_ROUNDING_POLICY | Control device pixel ratio rounding to the nearest integer. See https://doc.qt.io/qt-5/highdpi.html#high-dpi-support-in-qt
 |===
+
+=== Installer Options
+The following options can be set when running the Windows Installer MSI in an unattended installation:
+
+* *LAUNCHAPPONEXIT* – Launch KeePassXC after install (default ON)
+* *AUTOSTARTPROGRAM* – KeePassXC will auto-start on login (default ON)
+* *INSTALLDESKTOPSHORTCUT* – A desktop icon will be installed (default OFF)
+
+Example: `msiexec.exe /q /i KeePassXC-Y.Y.Y-WinZZ.msi AUTOSTARTPROGRAM=0`
+
+== Command Line Tool
+KeePassXC comes with the command line tool *keepassxc-cli* to access, view, and manipulate your database directly from a terminal window. The tool is documented through a separate man page, which can be shown using `man keepassxc-cli`, or through the on-demand help using `keepassxc-cli [command] -h`. An online version of the man page is https://github.com/keepassxreboot/keepassxc/blob/latest/docs/man/keepassxc-cli.1.adoc[available on GitHub].
 // end::advanced[]
 // end::content[]

docs/topics/Welcome.adoc

@@ -26,12 +26,13 @@ KeePassXC has numerous features for novice and power users alike. This guide wil
  ** Password generator
  ** Auto-Type passwords into applications
  ** Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser
+ ** Support for passkeys using the browser integration
  ** Entry icon download
- ** Import databases from CSV, 1Password, and KeePass1 formats
+ ** Import databases from CSV, 1Password, Bitwarden, Proton Pass, and KeePass1 formats
 
 * Advanced Features
  ** Database reports (password health, HIBP, and statistics)
- ** Database export to CSV and HTML formats
+ ** Database export to CSV, XML, and HTML formats
  ** TOTP storage and generation
  ** Field references between entries
  ** File attachments and custom attributes

release-tool.ps1

@@ -1,668 +0,0 @@
-<#
-.SYNOPSIS
-KeePassXC Release Tool
-
-.DESCRIPTION
-Commands:
-  merge      Merge release branch into main branch and create release tags
-  build      Build and package binary release from sources
-  sign       Sign previously compiled release packages
-
-.NOTES
-The following are descriptions of certain parameters:
-  -Vcpkg           Specify VCPKG toolchain location (example: C:\vcpkg)
-  -Tag             Release tag to check out (defaults to version number)
-  -Snapshot        Build current HEAD without checkout out Tag
-  -CMakeGenerator  Override the default CMake generator
-  -CMakeOptions    Additional CMake options for compiling the sources
-  -CPackGenerators Set CPack generators (default: WIX;ZIP)
-  -Compiler        Compiler to use (example: g++, clang, msbuild)
-  -MakeOptions     Options to pass to the make program
-  -SignBuild       Perform platform specific App Signing before packaging
-  -SignCert        Specify the App Signing Certificate
-  -TimeStamp       Explicitly set the timestamp server to use for appsign
-  -SourceBranch    Source branch to merge from (default: 'release/$Version')
-  -TargetBranch    Target branch to merge to (default: master)
-  -VSToolChain     Specify Visual Studio Toolchain by name if more than one is available
-#>
-
-param(
-    [Parameter(ParameterSetName = "merge", Mandatory, Position = 0)]
-    [switch] $Merge,
-    [Parameter(ParameterSetName = "build", Mandatory, Position = 0)]
-    [switch] $Build,
-    [Parameter(ParameterSetName = "sign", Mandatory, Position = 0)]
-    [switch] $Sign,
-
-    [Parameter(ParameterSetName = "merge", Mandatory, Position = 1)]
-    [Parameter(ParameterSetName = "build", Mandatory, Position = 1)]
-    [Parameter(ParameterSetName = "sign", Mandatory, Position = 1)]
-    [string] $Version,
-
-    [Parameter(ParameterSetName = "build", Mandatory)]
-    [string] $Vcpkg,
-
-    [Parameter(ParameterSetName = "sign", Mandatory)]
-    [SupportsWildcards()]
-    [string[]] $SignFiles,
-
-    # [Parameter(ParameterSetName = "build")]
-    # [switch] $DryRun,
-    [Parameter(ParameterSetName = "build")]
-    [switch] $Snapshot,
-    [Parameter(ParameterSetName = "build")]
-    [switch] $SignBuild,
-    
-    [Parameter(ParameterSetName = "build")]
-    [string] $CMakeGenerator = "Ninja",
-    [Parameter(ParameterSetName = "build")]
-    [string] $CMakeOptions,
-    [Parameter(ParameterSetName = "build")]
-    [string] $CPackGenerators = "WIX;ZIP",
-    [Parameter(ParameterSetName = "build")]
-    [string] $Compiler,
-    [Parameter(ParameterSetName = "build")]
-    [string] $MakeOptions,
-    [Parameter(ParameterSetName = "build")]
-    [Parameter(ParameterSetName = "sign")]
-    [X509Certificate] $SignCert,
-    [Parameter(ParameterSetName = "build")]
-    [Parameter(ParameterSetName = "sign")]
-    [string] $Timestamp = "http://timestamp.sectigo.com",
-    [Parameter(ParameterSetName = "merge")]
-    [Parameter(ParameterSetName = "build")]
-    [Parameter(ParameterSetName = "sign")]
-    [string] $GpgKey = "CFB4C2166397D0D2",
-    [Parameter(ParameterSetName = "merge")]
-    [Parameter(ParameterSetName = "build")]
-    [string] $SourceDir = ".",
-    [Parameter(ParameterSetName = "build")]
-    [string] $OutDir = ".\release",
-    [Parameter(ParameterSetName = "merge")]
-    [Parameter(ParameterSetName = "build")]
-    [string] $Tag,
-    [Parameter(ParameterSetName = "merge")]
-    [string] $SourceBranch,
-    [Parameter(ParameterSetName = "build")]
-    [string] $VSToolChain,
-    [Parameter(ParameterSetName = "merge")]
-    [Parameter(ParameterSetName = "build")]
-    [Parameter(ParameterSetName = "sign")]
-    [string] $ExtraPath
-)
-
-# Helper function definitions
-function Test-RequiredPrograms {
-    # If any of these fail they will throw an exception terminating the script
-    if ($Build) {
-        Get-Command git | Out-Null
-        Get-Command cmake | Out-Null
-    }
-    if ($Merge) {
-        Get-Command git | Out-Null
-        Get-Command tx | Out-Null
-        Get-Command lupdate | Out-Null
-    }
-    if ($Sign) {
-        Get-Command gpg | Out-Null
-    }
-}
-
-function Test-VersionInFiles {
-    # Check CMakeLists.txt
-    $Major, $Minor, $Patch = $Version.split(".", 3)
-    if (!(Select-String "$SourceDir\CMakeLists.txt" -pattern "KEEPASSXC_VERSION_MAJOR `"$Major`"" -Quiet) `
-            -or !(Select-String "$SourceDir\CMakeLists.txt" -pattern "KEEPASSXC_VERSION_MINOR `"$Minor`"" -Quiet) `
-            -or !(Select-String "$SourceDir\CMakeLists.txt" -pattern "KEEPASSXC_VERSION_PATCH `"$Patch`"" -Quiet)) {
-        throw "CMakeLists.txt has not been updated to $Version."
-    }
-
-    # Check Changelog
-    if (!(Select-String "$SourceDir\CHANGELOG.md" -pattern "^## $Version \(\d{4}-\d{2}-\d{2}\)$" -Quiet)) {
-        throw "CHANGELOG.md does not contain a section for $Version."
-    }
-
-    # Check AppStreamInfo
-    if (!(Select-String "$SourceDir\share\linux\org.keepassxc.KeePassXC.appdata.xml" `
-                -pattern "<release version=`"$Version`" date=`"\d{4}-\d{2}-\d{2}`">" -Quiet)) {
-        throw "share/linux/org.keepassxc.KeePassXC.appdata.xml does not contain a section for $Version."
-    }
-}
-
-function Test-WorkingTreeClean {
-    & git diff-index --quiet HEAD --
-    if ($LASTEXITCODE) {
-        throw "Current working tree is not clean! Please commit or unstage any changes."
-    }
-}
-
-function Invoke-VSToolchain([String] $Toolchain, [String] $Path, [String] $Arch) {
-    # Find Visual Studio installations
-    $vs = Get-CimInstance MSFT_VSInstance -Namespace root/cimv2/vs
-  
-    if ($vs.count -eq 0) {
-        $err = "No Visual Studio installations found, download one from https://visualstudio.com/downloads."
-        $err = "$err`nIf Visual Studio is installed, you may need to repair the install then restart."
-        throw $err
-    }
-
-    $VSBaseDir = $vs[0].InstallLocation
-    if ($Toolchain) {
-        # Try to find the specified toolchain by name
-        foreach ($_ in $vs) {
-            if ($_.Name -eq $Toolchain) {
-                $VSBaseDir = $_.InstallLocation
-                break
-            }
-        }
-    } elseif ($vs.count -gt 1) {
-        # Ask the user which install to use
-        $i = 0
-        foreach ($_ in $vs) {
-            $i = $i + 1
-            $i.ToString() + ") " + $_.Name | Write-Host
-        }
-        $i = Read-Host -Prompt "Which Visual Studio installation do you want to use?"
-        $i = [Convert]::ToInt32($i, 10) - 1
-        if ($i -lt 0 -or $i -ge $vs.count) {
-            throw "Invalid selection made"
-        }
-        $VSBaseDir = $vs[$i].InstallLocation
-    }
-    
-    # Bootstrap the specified VS Toolchain
-    Import-Module "$VSBaseDir\Common7\Tools\Microsoft.VisualStudio.DevShell.dll"
-    Enter-VsDevShell -VsInstallPath $VSBaseDir -Arch $Arch -StartInPath $Path | Write-Host
-    Write-Host # Newline after command output
-}
-
-function Invoke-Cmd([string] $command, [string[]] $options = @(), [switch] $maskargs, [switch] $quiet) {
-    $call = ('{0} {1}' -f $command, ($options -Join ' '))
-    if ($maskargs) {
-        Write-Host "$command <masked>" -ForegroundColor DarkGray
-    }
-    else {
-        Write-Host $call -ForegroundColor DarkGray
-    }
-    if ($quiet) {
-        Invoke-Expression $call > $null
-    } else {
-        Invoke-Expression $call
-    }
-    if ($LASTEXITCODE -ne 0) {
-        throw "Failed to run command: {0}" -f $command
-    }
-    Write-Host #insert newline after command output
-}
-
-function Find-SignCert() {
-    $certs = Get-ChildItem Cert:\CurrentUser\My -codesign
-    if ($certs.Count -eq 0) {
-        throw "No code signing certificate found in User certificate store"
-    } elseif ($certs.Count -gt 1) {
-        # Ask the user which to use
-        $i = 0
-        foreach ($_ in $certs) {
-            $i = $i + 1
-            $i.ToString() + ") $($_.Thumbprint) - $($_.NotAfter)" | Write-Host
-        }
-        $i = Read-Host -Prompt "Which certificate do you want to use?"
-        $i = [Convert]::ToInt32($i, 10) - 1
-        if ($i -lt 0 -or $i -ge $certs.count) {
-            throw "Invalid selection made"
-        }
-        return $certs[$i]
-    } else {
-        Write-Host "Found signing certificate: $($certs[0].Subject) ($($certs[0].Thumbprint))" -ForegroundColor Cyan
-        Write-Host
-        return $certs[0]
-    }
-}
-
-function Invoke-SignFiles([string[]] $files, [X509Certificate] $cert, [string] $time) {
-    if ($files.Length -eq 0) {
-        return
-    }
-
-    Write-Host "Signing files using $($cert.Subject) ($($cert.Thumbprint))" -ForegroundColor Cyan
-    
-    foreach ($_ in $files) {
-        $sig = Get-AuthenticodeSignature -FilePath "$_" -ErrorAction SilentlyContinue
-        if ($sig.Status -ne "Valid") {
-            Write-Host "Signing file '$_'"
-            $tmp = Set-AuthenticodeSignature -Certificate $cert -FilePath "$_" -TimestampServer "$Timestamp" -HashAlgorithm "SHA256"
-        }
-    }
-}
-
-function Invoke-GpgSignFiles([string[]] $files, [string] $key) {
-    if ($files.Length -eq 0) {
-        return
-    }
-
-    Write-Host "Signing files using GPG key $key" -ForegroundColor Cyan
-
-    foreach ($_ in $files) {
-        Write-Host "Signing file '$_' and creating DIGEST..."
-        if (Test-Path "$_.sig") {
-            Remove-Item "$_.sig"
-        }
-        Invoke-Cmd "gpg" "--output `"$_.sig`" --armor --local-user `"$key`" --detach-sig `"$_`""
-        $FileName = (Get-Item $_).Name
-        (Get-FileHash "$_" SHA256).Hash + " *$FileName" | Out-File "$_.DIGEST" -NoNewline
-    }
-}
-
-
-# Handle errors and restore state
-$OrigDir = (Get-Location).Path
-$OrigBranch = & git rev-parse --abbrev-ref HEAD
-$ErrorActionPreference = 'Stop'
-trap {
-    Write-Host "Restoring state..." -ForegroundColor Yellow
-    & git checkout $OrigBranch
-    Set-Location "$OrigDir"
-}
-
-Write-Host "KeePassXC Release Preparation Helper" -ForegroundColor Green
-Write-Host "Copyright (C) 2022 KeePassXC Team <https://keepassxc.org/>`n" -ForegroundColor Green
-
-# Prepend extra PATH locations as specified
-if ($ExtraPath) {
-    $env:Path = "$ExtraPath;$env:Path"
-}
-
-# Resolve absolute directory for paths
-$SourceDir = (Resolve-Path $SourceDir).Path
-
-# Check format of -Version
-if ($Version -notmatch "^\d+\.\d+\.\d+(-Beta\d*)?$") {
-    throw "Invalid format for -Version input"
-}
-
-# Check platform
-if (!$IsWindows) {
-    throw "The PowerShell release tool is not available for Linux or macOS at this time."
-}
-
-if ($Merge) {
-    Test-RequiredPrograms
-
-    # Change to SourceDir
-    Set-Location "$SourceDir"
-
-    Test-VersionInFiles
-    Test-WorkingTreeClean
-
-    if (!$SourceBranch.Length) {
-        $SourceBranch = & git branch --show-current
-    }
-
-    if ($SourceBranch -notmatch "^release/.*$") {
-        throw "Must be on a release/* branch to continue."
-    }
-
-    # Update translation files
-    Write-Host "Updating source translation file..."
-    Invoke-Cmd "lupdate" "-no-ui-lines -disable-heuristic similartext -locations none", `
-        "-extensions c,cpp,h,js,mm,qrc,ui -no-obsolete ./src -ts share/translations/keepassxc_en.ts"
-
-    Write-Host "Pulling updated translations from Transifex..."
-    Invoke-Cmd "tx" "pull -af --minimum-perc=60 -r keepassxc.share-translations-keepassxc-en-ts--develop"
-
-    # Only commit if there are changes
-    $changes = & git status --porcelain
-    if ($changes.Length -gt 0) {
-        Write-Host "Committing translation updates..."
-        Invoke-Cmd "git" "add -A ./share/translations/" -quiet
-        Invoke-Cmd "git" "commit -m `"Update translations`"" -quiet
-    }
-
-    # Read the version release notes from CHANGELOG
-    $Changelog = ""
-    $ReadLine = $false
-    Get-Content "CHANGELOG.md" | ForEach-Object {
-        if ($ReadLine) {
-            if ($_ -match "^## ") {
-                $ReadLine = $false
-            } else {
-                $Changelog += $_ + "`n"
-            }
-        } elseif ($_ -match "$Version \(\d{4}-\d{2}-\d{2}\)") {
-            $ReadLine = $true
-        }
-    }
-
-    Write-Host "Creating tag for '$Version'..."
-    $tmp = New-TemporaryFile
-    "Release $Version`n$Changelog" | Out-File $tmp.FullName
-    Invoke-Cmd "git" "tag -a `"$Version`" -F `"$tmp`" -s" -quiet
-    Remove-Item $tmp.FullName -Force
-
-    Write-Host "Moving latest tag..."
-    Invoke-Cmd "git" "tag -f -a `"latest`" -m `"Latest stable release`" -s" -quiet
-
-    Write-Host "All done!"
-    Write-Host "Please merge the release branch back into the develop branch now and then push your changes."
-    Write-Host "Don't forget to also push the tags using 'git push --tags'."
-} elseif ($Build) {
-    $Vcpkg = (Resolve-Path "$Vcpkg/scripts/buildsystems/vcpkg.cmake").Path
-
-    # Find Visual Studio and establish build environment
-    Invoke-VSToolchain $VSToolChain $SourceDir -Arch "amd64"
-
-    if ($SignBuild && !$SignCert) {
-        $SignCert = Find-SignCert
-    }
-
-    Test-RequiredPrograms
-
-    if ($Snapshot) {
-        $Tag = "HEAD"
-        $SourceBranch = & git rev-parse --abbrev-ref HEAD
-        $ReleaseName = "$Version-snapshot"
-        $CMakeOptions = "-DKEEPASSXC_BUILD_TYPE=Snapshot -DOVERRIDE_VERSION=`"$ReleaseName`" $CMakeOptions"
-        Write-Host "Using current branch '$SourceBranch' to build." -ForegroundColor Cyan
-    } else {
-        Test-WorkingTreeClean
-
-        # Clear output directory
-        if (Test-Path $OutDir) {
-            Remove-Item $OutDir -Recurse
-        }
-        
-        if ($Version -match "-beta\d*$") {
-            $CMakeOptions = "-DKEEPASSXC_BUILD_TYPE=PreRelease $CMakeOptions"
-        } else {
-            $CMakeOptions = "-DKEEPASSXC_BUILD_TYPE=Release $CMakeOptions"
-        }
-
-        # Setup Tag if not defined then checkout tag
-        if ($Tag -eq "" -or $Tag -eq $null) {
-            $Tag = $Version
-        }
-        Write-Host "Checking out tag 'tags/$Tag' to build." -ForegroundColor Cyan
-        Invoke-Cmd "git" "checkout `"tags/$Tag`""
-    }
-
-    # Create directories
-    New-Item "$OutDir" -ItemType Directory -Force | Out-Null
-    $OutDir = (Resolve-Path $OutDir).Path
-
-    $BuildDir = "$OutDir\build-release"
-    New-Item "$BuildDir" -ItemType Directory -Force | Out-Null
-
-    # Enter build directory
-    Set-Location "$BuildDir"
-
-    # Setup CMake options
-    $CMakeOptions = "-DWITH_XC_ALL=ON -DWITH_TESTS=OFF -DCMAKE_BUILD_TYPE=Release $CMakeOptions"
-    $CMakeOptions = "-DCMAKE_TOOLCHAIN_FILE:FILEPATH=`"$Vcpkg`" -DX_VCPKG_APPLOCAL_DEPS_INSTALL=ON $CMakeOptions"
-
-    Write-Host "Configuring build..." -ForegroundColor Cyan
-    Invoke-Cmd "cmake" "-G `"$CMakeGenerator`" $CMakeOptions `"$SourceDir`""
-
-    Write-Host "Compiling sources..." -ForegroundColor Cyan
-    Invoke-Cmd "cmake" "--build . --config Release -- $MakeOptions"
-    
-    if ($SignBuild) {
-        $VcpkgDir = $BuildDir + "\vcpkg_installed\"
-        if (Test-Path $VcpkgDir) {
-            $files = Get-ChildItem $VcpkgDir -Filter "*.dll" -Recurse -File | 
-                Where-Object {$_.FullName -notlike "$VcpkgDir*debug\*" -and $_.FullName -notlike "$VcpkgDir*tools\*"} | 
-                ForEach-Object {$_.FullName}
-        }
-        $files += Get-ChildItem "$BuildDir\src" -Include "*keepassxc*.exe", "*keepassxc*.dll" -Recurse -File | ForEach-Object { $_.FullName }
-        Invoke-SignFiles $files $SignCert $Timestamp
-    }
-
-    Write-Host "Create deployment packages..." -ForegroundColor Cyan
-    Invoke-Cmd "cpack" "-G `"$CPackGenerators`""
-    Move-Item "$BuildDir\keepassxc-*" -Destination "$OutDir" -Force
-
-    if ($SignBuild) {
-        # Enter output directory
-        Set-Location -Path "$OutDir"
-
-        # Sign MSI files using AppSign key
-        $files = Get-ChildItem $OutDir -Include "*.msi" -Name
-        Invoke-SignFiles $files $SignCert $Timestamp
-
-        # Sign all output files using the GPG key then hash them
-        $files = Get-ChildItem $OutDir -Include "*.msi", "*.zip" -Name
-        Invoke-GpgSignFiles $files $GpgKey
-    }
-
-    # Restore state
-    Invoke-Command {git checkout $OrigBranch}
-    Set-Location "$OrigDir"
-} elseif ($Sign) {
-    Test-RequiredPrograms
-
-    if (!$SignCert) {
-        $SignCert = Find-SignCert
-    }
-
-    # Resolve wildcard paths
-    $ResolvedFiles = @()
-    foreach ($_ in $SignFiles) {
-        $ResolvedFiles += (Get-ChildItem $_ -File | ForEach-Object { $_.FullName })
-    }
-
-    $AppSignFiles = $ResolvedFiles.Where({ $_ -match "\.(msi|exe|dll)$" })
-    Invoke-SignFiles $AppSignFiles $SignCert $Timestamp
-
-    $GpgSignFiles = $ResolvedFiles.Where({ $_ -match "\.(msi|zip|gz|xz|dmg|appimage)$" })
-    Invoke-GpgSignFiles $GpgSignFiles $GpgKey
-}
-
-# SIG # Begin signature block
-# MIIm2gYJKoZIhvcNAQcCoIImyzCCJscCAQExDzANBglghkgBZQMEAgEFADB5Bgor
-# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
-# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCDuejql+mhHrYzE
-# MGUrjGMbUzkTkzwhj8dkNuT2x9j8+KCCH8cwggVvMIIEV6ADAgECAhBI/JO0YFWU
-# jTanyYqJ1pQWMA0GCSqGSIb3DQEBDAUAMHsxCzAJBgNVBAYTAkdCMRswGQYDVQQI
-# DBJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcMB1NhbGZvcmQxGjAYBgNVBAoM
-# EUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDDBhBQUEgQ2VydGlmaWNhdGUgU2Vy
-# dmljZXMwHhcNMjEwNTI1MDAwMDAwWhcNMjgxMjMxMjM1OTU5WjBWMQswCQYDVQQG
-# EwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMS0wKwYDVQQDEyRTZWN0aWdv
-# IFB1YmxpYyBDb2RlIFNpZ25pbmcgUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEBAQUA
-# A4ICDwAwggIKAoICAQCN55QSIgQkdC7/FiMCkoq2rjaFrEfUI5ErPtx94jGgUW+s
-# hJHjUoq14pbe0IdjJImK/+8Skzt9u7aKvb0Ffyeba2XTpQxpsbxJOZrxbW6q5KCD
-# J9qaDStQ6Utbs7hkNqR+Sj2pcaths3OzPAsM79szV+W+NDfjlxtd/R8SPYIDdub7
-# P2bSlDFp+m2zNKzBenjcklDyZMeqLQSrw2rq4C+np9xu1+j/2iGrQL+57g2extme
-# me/G3h+pDHazJyCh1rr9gOcB0u/rgimVcI3/uxXP/tEPNqIuTzKQdEZrRzUTdwUz
-# T2MuuC3hv2WnBGsY2HH6zAjybYmZELGt2z4s5KoYsMYHAXVn3m3pY2MeNn9pib6q
-# RT5uWl+PoVvLnTCGMOgDs0DGDQ84zWeoU4j6uDBl+m/H5x2xg3RpPqzEaDux5mcz
-# mrYI4IAFSEDu9oJkRqj1c7AGlfJsZZ+/VVscnFcax3hGfHCqlBuCF6yH6bbJDoEc
-# QNYWFyn8XJwYK+pF9e+91WdPKF4F7pBMeufG9ND8+s0+MkYTIDaKBOq3qgdGnA2T
-# OglmmVhcKaO5DKYwODzQRjY1fJy67sPV+Qp2+n4FG0DKkjXp1XrRtX8ArqmQqsV/
-# AZwQsRb8zG4Y3G9i/qZQp7h7uJ0VP/4gDHXIIloTlRmQAOka1cKG8eOO7F/05QID
-# AQABo4IBEjCCAQ4wHwYDVR0jBBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYD
-# VR0OBBYEFDLrkpr/NZZILyhAQnAgNpFcF4XmMA4GA1UdDwEB/wQEAwIBhjAPBgNV
-# HRMBAf8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMDMBsGA1UdIAQUMBIwBgYE
-# VR0gADAIBgZngQwBBAEwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21v
-# ZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEE
-# KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZI
-# hvcNAQEMBQADggEBABK/oe+LdJqYRLhpRrWrJAoMpIpnuDqBv0WKfVIHqI0fTiGF
-# OaNrXi0ghr8QuK55O1PNtPvYRL4G2VxjZ9RAFodEhnIq1jIV9RKDwvnhXRFAZ/ZC
-# J3LFI+ICOBpMIOLbAffNRk8monxmwFE2tokCVMf8WPtsAO7+mKYulaEMUykfb9gZ
-# pk+e96wJ6l2CxouvgKe9gUhShDHaMuwV5KZMPWw5c9QLhTkg4IUaaOGnSDip0TYl
-# d8GNGRbFiExmfS9jzpjoad+sPKhdnckcW67Y8y90z7h+9teDnRGWYpquRRPaf9xH
-# +9/DUp/mBlXpnYzyOmJRvOwkDynUWICE5EV7WtgwggYaMIIEAqADAgECAhBiHW0M
-# UgGeO5B5FSCJIRwKMA0GCSqGSIb3DQEBDAUAMFYxCzAJBgNVBAYTAkdCMRgwFgYD
-# VQQKEw9TZWN0aWdvIExpbWl0ZWQxLTArBgNVBAMTJFNlY3RpZ28gUHVibGljIENv
-# ZGUgU2lnbmluZyBSb290IFI0NjAeFw0yMTAzMjIwMDAwMDBaFw0zNjAzMjEyMzU5
-# NTlaMFQxCzAJBgNVBAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxKzAp
-# BgNVBAMTIlNlY3RpZ28gUHVibGljIENvZGUgU2lnbmluZyBDQSBSMzYwggGiMA0G
-# CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCbK51T+jU/jmAGQ2rAz/V/9shTUxjI
-# ztNsfvxYB5UXeWUzCxEeAEZGbEN4QMgCsJLZUKhWThj/yPqy0iSZhXkZ6Pg2A2NV
-# DgFigOMYzB2OKhdqfWGVoYW3haT29PSTahYkwmMv0b/83nbeECbiMXhSOtbam+/3
-# 6F09fy1tsB8je/RV0mIk8XL/tfCK6cPuYHE215wzrK0h1SWHTxPbPuYkRdkP05Zw
-# mRmTnAO5/arnY83jeNzhP06ShdnRqtZlV59+8yv+KIhE5ILMqgOZYAENHNX9SJDm
-# +qxp4VqpB3MV/h53yl41aHU5pledi9lCBbH9JeIkNFICiVHNkRmq4TpxtwfvjsUe
-# dyz8rNyfQJy/aOs5b4s+ac7IH60B+Ja7TVM+EKv1WuTGwcLmoU3FpOFMbmPj8pz4
-# 4MPZ1f9+YEQIQty/NQd/2yGgW+ufflcZ/ZE9o1M7a5Jnqf2i2/uMSWymR8r2oQBM
-# dlyh2n5HirY4jKnFH/9gRvd+QOfdRrJZb1sCAwEAAaOCAWQwggFgMB8GA1UdIwQY
-# MBaAFDLrkpr/NZZILyhAQnAgNpFcF4XmMB0GA1UdDgQWBBQPKssghyi47G9IritU
-# pimqF6TNDDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADATBgNV
-# HSUEDDAKBggrBgEFBQcDAzAbBgNVHSAEFDASMAYGBFUdIAAwCAYGZ4EMAQQBMEsG
-# A1UdHwREMEIwQKA+oDyGOmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1B1
-# YmxpY0NvZGVTaWduaW5nUm9vdFI0Ni5jcmwwewYIKwYBBQUHAQEEbzBtMEYGCCsG
-# AQUFBzAChjpodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29QdWJsaWNDb2Rl
-# U2lnbmluZ1Jvb3RSNDYucDdjMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0
-# aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEABv+C4XdjNm57oRUgmxP/BP6YdURh
-# w1aVcdGRP4Wh60BAscjW4HL9hcpkOTz5jUug2oeunbYAowbFC2AKK+cMcXIBD0Zd
-# OaWTsyNyBBsMLHqafvIhrCymlaS98+QpoBCyKppP0OcxYEdU0hpsaqBBIZOtBajj
-# cw5+w/KeFvPYfLF/ldYpmlG+vd0xqlqd099iChnyIMvY5HexjO2AmtsbpVn0OhNc
-# WbWDRF/3sBp6fWXhz7DcML4iTAWS+MVXeNLj1lJziVKEoroGs9Mlizg0bUMbOalO
-# hOfCipnx8CaLZeVme5yELg09Jlo8BMe80jO37PU8ejfkP9/uPak7VLwELKxAMcJs
-# zkyeiaerlphwoKx1uHRzNyE6bxuSKcutisqmKL5OTunAvtONEoteSiabkPVSZ2z7
-# 6mKnzAfZxCl/3dq3dUNw4rg3sTCggkHSRqTqlLMS7gjrhTqBmzu1L90Y1KWN/Y5J
-# KdGvspbOrTfOXyXvmPL6E52z1NZJ6ctuMFBQZH3pwWvqURR8AgQdULUvrxjUYbHH
-# j95Ejza63zdrEcxWLDX6xWls/GDnVNueKjWUH3fTv1Y8Wdho698YADR7TNx8X8z2
-# Bev6SivBBOHY+uqiirZtg0y9ShQoPzmCcn63Syatatvx157YK9hlcPmVoa1oDE5/
-# L9Uo2bC5a4CH2RwwggZJMIIEsaADAgECAhAGQz/MzOQzqJLMF7dGpYxlMA0GCSqG
-# SIb3DQEBDAUAMFQxCzAJBgNVBAYTAkdCMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0
-# ZWQxKzApBgNVBAMTIlNlY3RpZ28gUHVibGljIENvZGUgU2lnbmluZyBDQSBSMzYw
-# HhcNMjQwMjIzMDAwMDAwWhcNMjcwMjIyMjM1OTU5WjBgMQswCQYDVQQGEwJVUzER
-# MA8GA1UECAwIVmlyZ2luaWExHjAcBgNVBAoMFURyb2lkTW9ua2V5IEFwcHMsIExM
-# QzEeMBwGA1UEAwwVRHJvaWRNb25rZXkgQXBwcywgTExDMIICIjANBgkqhkiG9w0B
-# AQEFAAOCAg8AMIICCgKCAgEAuJtEjRyetghx6Abi1cpMT88uT6nIcTe3AyUvdSkj
-# CtUM8Gat0YJfqTxokb9dBzJa7j8YWOUU1Yc4EDXoYYtVRE+1UkdPAcXNMf2hNXGI
-# 45iZVwhBPQZBU4QfKltzYqrjAZgDvxeYd68qImjzUfrCY3uZHwEIuCewmNMPpEgb
-# djuSXDyBAKKBtaO2iqyaJpqcC39QnDKlXMicDPqqH5fI7wK7Lg9f4BwOsaO4P68I
-# 3pOv7L/6E5GR9+hTj6txhxFz/yCbDxN1PUvDsGaXjMmVeP2M95fkwOFwut5yBESD
-# IwAGEWUFsTJ32hSmE74+xG6rVqtueayV7U9cGURznSk9ZlTUqQOW9Z4K+pu29gTZ
-# 9zVWlONIsQR7QXfGKZWF+Xik6rTujSRTTsK7QNMYzBI6b9v0nD2pEWuGZDXIO5o5
-# N2HzXEFlwxCFY483yWSObHNBp9PFtiDueqv+8vrN+lsirZlDFCxI6hW+F8oYp3Xx
-# HdSqxsMRTqbO6dUjH2Tyd0G5fbyT8Rid7DbP6p/apzIrdFOM0kdcKLmppYBp7BIn
-# TdjbWJYhtuORIUZQbUOSM71vYCUHj7xkckiYYmkUf0XH8xx8jqgVWseBW63gCEow
-# hCEYxaWt0QGyXJ6UrlV4WTUCWzxm45I5OQoofymUvdutKgr9bR3nJ5yS/c+E3Knq
-# JhkCAwEAAaOCAYkwggGFMB8GA1UdIwQYMBaAFA8qyyCHKLjsb0iuK1SmKaoXpM0M
-# MB0GA1UdDgQWBBQta729krTac3CUndU0S0DdDscjHTAOBgNVHQ8BAf8EBAMCB4Aw
-# DAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHSAEQzBBMDUG
-# DCsGAQQBsjEBAgEDAjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29t
-# L0NQUzAIBgZngQwBBAEwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5zZWN0
-# aWdvLmNvbS9TZWN0aWdvUHVibGljQ29kZVNpZ25pbmdDQVIzNi5jcmwweQYIKwYB
-# BQUHAQEEbTBrMEQGCCsGAQUFBzAChjhodHRwOi8vY3J0LnNlY3RpZ28uY29tL1Nl
-# Y3RpZ29QdWJsaWNDb2RlU2lnbmluZ0NBUjM2LmNydDAjBggrBgEFBQcwAYYXaHR0
-# cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggGBAJSy5YPCbh9Z
-# suDCKgDuzOWZzNza4/FrA+kT7EitDezYN3S/P0EVc0tPbgYAKfNqY+ihAMyjZHdg
-# ybfBWhGzUTDo+HEipcnZ2pgwPadsw23jJ8MN1tdms9iKDakIQ2MVsB7cGFRU8QjL
-# ovkPdZkyLcjuYbkiZRoNoKlhmrOOf6n1oCwXVJ9ONJijc+Lr3+4EIqZ39ET2+uI9
-# Wg9Bfd9XrDZfYFEcRJjNzRpCtHb26aIzV/XiMWasHRPaII34SzD0BmaPbsLeGW1U
-# GvW3tQcgVNdT/uajegmShVb+c5J5ktRSJ0cqyxmTAYaeMuA6IxG1f6kui1SAFQs2
-# lzlGyEgxgiNGo7cHHN2KidhrBL3U2bGr9Tkdp3gmV+Gj3esCdQzJE4aqmUZvIvHp
-# krair4qbLFZRNozAZJn2SIeQa5u2U0ZmvcAr1C7S3JVLP3t9LKE0mlFkV9pbIU97
-# ND3iH3tO0Zb3SvCK/XjO1PZVb8EXsi67wbfMSWAwi2CETDonb7+gBjCCBuwwggTU
-# oAMCAQICEDAPb6zdZph0fKlGNqd4LbkwDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNV
-# BAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0
-# eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VS
-# VHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDUwMjAwMDAw
-# MFoXDTM4MDExODIzNTk1OVowfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0
-# ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGln
-# byBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1waW5nIENB
-# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyBsBr9ksfoiZfQGYPyCQ
-# vZyAIVSTuc+gPlPvs1rAdtYaBKXOR4O168TMSTTL80VlufmnZBYmCfvVMlJ5Lslj
-# whObtoY/AQWSZm8hq9VxEHmH9EYqzcRaydvXXUlNclYP3MnjU5g6Kh78zlhJ07/z
-# Obu5pCNCrNAVw3+eolzXOPEWsnDTo8Tfs8VyrC4Kd/wNlFK3/B+VcyQ9ASi8Dw1P
-# s5EBjm6dJ3VV0Rc7NCF7lwGUr3+Az9ERCleEyX9W4L1GnIK+lJ2/tCCwYH64TfUN
-# P9vQ6oWMilZx0S2UTMiMPNMUopy9Jv/TUyDHYGmbWApU9AXn/TGs+ciFF8e4KRmk
-# KS9G493bkV+fPzY+DjBnK0a3Na+WvtpMYMyou58NFNQYxDCYdIIhz2JWtSFzEh79
-# qsoIWId3pBXrGVX/0DlULSbuRRo6b83XhPDX8CjFT2SDAtT74t7xvAIo9G3aJ4oG
-# 0paH3uhrDvBbfel2aZMgHEqXLHcZK5OVmJyXnuuOwXhWxkQl3wYSmgYtnwNe/YOi
-# U2fKsfqNoWTJiJJZy6hGwMnypv99V9sSdvqKQSTUG/xypRSi1K1DHKRJi0E5FAMe
-# KfobpSKupcNNgtCN2mu32/cYQFdz8HGj+0p9RTbB942C+rnJDVOAffq2OVgy728Y
-# UInXT50zvRq1naHelUF6p4MCAwEAAaOCAVowggFWMB8GA1UdIwQYMBaAFFN5v1qq
-# K0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBQaofhhGSAPw0F3RSiO0TVfBhIEVTAO
-# BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADATBgNVHSUEDDAKBggr
-# BgEFBQcDCDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0
-# cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25B
-# dXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDov
-# L2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUG
-# CCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEB
-# DAUAA4ICAQBtVIGlM10W4bVTgZF13wN6MgstJYQRsrDbKn0qBfW8Oyf0WqC5SVmQ
-# KWxhy7VQ2+J9+Z8A70DDrdPi5Fb5WEHP8ULlEH3/sHQfj8ZcCfkzXuqgHCZYXPO0
-# EQ/V1cPivNVYeL9IduFEZ22PsEMQD43k+ThivxMBxYWjTMXMslMwlaTW9JZWCLjN
-# XH8Blr5yUmo7Qjd8Fng5k5OUm7Hcsm1BbWfNyW+QPX9FcsEbI9bCVYRm5LPFZgb2
-# 89ZLXq2jK0KKIZL+qG9aJXBigXNjXqC72NzXStM9r4MGOBIdJIct5PwC1j53BLwE
-# NrXnd8ucLo0jGLmjwkcd8F3WoXNXBWiap8k3ZR2+6rzYQoNDBaWLpgn/0aGUpk6q
-# PQn1BWy30mRa2Coiwkud8TleTN5IPZs0lpoJX47997FSkc4/ifYcobWpdR9xv1tD
-# XWU9UIFuq/DQ0/yysx+2mZYm9Dx5i1xkzM3uJ5rloMAMcofBbk1a0x7q8ETmMm8c
-# 6xdOlMN4ZSA7D0GqH+mhQZ3+sbigZSo04N6o+TzmwTC7wKBjLPxcFgCo0MR/6hGd
-# HgbGpm0yXbQ4CStJB6r97DDa8acvz7f9+tCjhNknnvsBZne5VhDhIG7GrrH5trrI
-# NV0zdo7xfCAMKneutaIChrop7rRaALGMq+P5CslUXdS5anSevUiumDCCBvUwggTd
-# oAMCAQICEDlMJeF8oG0nqGXiO9kdItQwDQYJKoZIhvcNAQEMBQAwfTELMAkGA1UE
-# BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
-# Zm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdv
-# IFJTQSBUaW1lIFN0YW1waW5nIENBMB4XDTIzMDUwMzAwMDAwMFoXDTM0MDgwMjIz
-# NTk1OVowajELMAkGA1UEBhMCR0IxEzARBgNVBAgTCk1hbmNoZXN0ZXIxGDAWBgNV
-# BAoTD1NlY3RpZ28gTGltaXRlZDEsMCoGA1UEAwwjU2VjdGlnbyBSU0EgVGltZSBT
-# dGFtcGluZyBTaWduZXIgIzQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-# AQCkkyhSS88nh3akKRyZOMDnDtTRHOxoywFk5IrNd7BxZYK8n/yLu7uVmPslEY5a
-# iAlmERRYsroiW+b2MvFdLcB6og7g4FZk7aHlgSByIGRBbMfDCPrzfV3vIZrCftcs
-# w7oRmB780yAIQrNfv3+IWDKrMLPYjHqWShkTXKz856vpHBYusLA4lUrPhVCrZwMl
-# obs46Q9vqVqakSgTNbkf8z3hJMhrsZnoDe+7TeU9jFQDkdD8Lc9VMzh6CRwH0SLg
-# Y4anvv3Sg3MSFJuaTAlGvTS84UtQe3LgW/0Zux88ahl7brstRCq+PEzMrIoEk8ZX
-# hqBzNiuBl/obm36Ih9hSeYn+bnc317tQn/oYJU8T8l58qbEgWimro0KHd+D0TAJI
-# 3VilU6ajoO0ZlmUVKcXtMzAl5paDgZr2YGaQWAeAzUJ1rPu0kdDF3QFAaraoEO72
-# jXq3nnWv06VLGKEMn1ewXiVHkXTNdRLRnG/kXg2b7HUm7v7T9ZIvUoXo2kRRKqLM
-# AMqHZkOjGwDvorWWnWKtJwvyG0rJw5RCN4gghKiHrsO6I3J7+FTv+GsnsIX1p0OF
-# 2Cs5dNtadwLRpPr1zZw9zB+uUdB7bNgdLRFCU3F0wuU1qi1SEtklz/DT0JFDEtcy
-# fZhs43dByP8fJFTvbq3GPlV78VyHOmTxYEsFT++5L+wJEwIDAQABo4IBgjCCAX4w
-# HwYDVR0jBBgwFoAUGqH4YRkgD8NBd0UojtE1XwYSBFUwHQYDVR0OBBYEFAMPMciR
-# KpO9Y/PRXU2kNA/SlQEYMA4GA1UdDwEB/wQEAwIGwDAMBgNVHRMBAf8EAjAAMBYG
-# A1UdJQEB/wQMMAoGCCsGAQUFBwMIMEoGA1UdIARDMEEwNQYMKwYBBAGyMQECAQMI
-# MCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAEE
-# AjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnNlY3RpZ28uY29tL1NlY3Rp
-# Z29SU0FUaW1lU3RhbXBpbmdDQS5jcmwwdAYIKwYBBQUHAQEEaDBmMD8GCCsGAQUF
-# BzAChjNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FUaW1lU3RhbXBp
-# bmdDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMA0G
-# CSqGSIb3DQEBDAUAA4ICAQBMm2VY+uB5z+8VwzJt3jOR63dY4uu9y0o8dd5+lG3D
-# IscEld9laWETDPYMnvWJIF7Bh8cDJMrHpfAm3/j4MWUN4OttUVemjIRSCEYcKsLe
-# 8tqKRfO+9/YuxH7t+O1ov3pWSOlh5Zo5d7y+upFkiHX/XYUWNCfSKcv/7S3a/76T
-# DOxtog3Mw/FuvSGRGiMAUq2X1GJ4KoR5qNc9rCGPcMMkeTqX8Q2jo1tT2KsAulj7
-# NYBPXyhxbBlewoNykK7gxtjymfvqtJJlfAd8NUQdrVgYa2L73mzECqls0yFGcNwv
-# jXVMI8JB0HqWO8NL3c2SJnR2XDegmiSeTl9O048P5RNPWURlS0Nkz0j4Z2e5Tb/M
-# DbE6MNChPUitemXk7N/gAfCzKko5rMGk+al9NdAyQKCxGSoYIbLIfQVxGksnNqrg
-# mByDdefHfkuEQ81D+5CXdioSrEDBcFuZCkD6gG2UYXvIbrnIZ2ckXFCNASDeB/cB
-# 1PguEc2dg+X4yiUcRD0n5bCGRyoLG4R2fXtoT4239xO07aAt7nMP2RC6nZksfNd1
-# H48QxJTmfiTllUqIjCfWhWYd+a5kdpHoSP7IVQrtKcMf3jimwBT7Mj34qYNiNsjD
-# vgCHHKv6SkIciQPc9Vx8cNldeE7un14g5glqfCsIo0j1FfwET9/NIRx65fWOGtS5
-# QDGCBmkwggZlAgEBMGgwVDELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28g
-# TGltaXRlZDErMCkGA1UEAxMiU2VjdGlnbyBQdWJsaWMgQ29kZSBTaWduaW5nIENB
-# IFIzNgIQBkM/zMzkM6iSzBe3RqWMZTANBglghkgBZQMEAgEFAKCBhDAYBgorBgEE
-# AYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwG
-# CisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCCn5BDd
-# F+7Q6LMoJuJxenFHgWAZjm1CET9oBKnlZKClzjANBgkqhkiG9w0BAQEFAASCAgAS
-# ypiTBQb39I43fGdH6t2OYAl53TSbJfPG99/11OYS+6nMTKhy7dHtzzgMFxBQmL/L
-# P4eJJMqh1yIYEjrjhNLLddRhVP2lfsuQ1OkLVx5lS8M32I3SzpskOe+SywMLDYJy
-# sYHEcZkyQX0Q2J/RGzF8/tDcltZodYEdZrQdaAKo7bGv1JcYpW7B6JZnNjquE90d
-# WVNAsQ6Mc3kzkjbs2qDaRAdkOmX5uENWbNf1GgTRpud7Ic5hMyb4v9qfWAptlFuO
-# pLHyuINNsBuTfzD/cGVR9qecDPIE90UnHQHZWws9U+m84CzAmqpptp4VhrAWc7Hc
-# bHsbmg4tGA41ythKyERpW9YlwID6fJYMigEVmJihXdM/qRGO2XdfbPAr0C0AMPIV
-# re8r86BJw1lxJJYL2gsS/ttgrnW2C8aFq+IxxXWnv/7maPG69K/jmRLQGZuLIZCl
-# 7rT6hob37zZMsdnqDZ0DjJb/FGonJr7GpyeMEWPy8eVwZydMbC9hBl8HNgQ04sp7
-# ouskM1nCco9DV+d1Y6Oyje6IylZjD+xgX7VfsDa2O3Lw27cfyxJBW359meYHytkJ
-# oYqh4Y4fC9YlYTD3913ryqTbPaWtWjvFV+GR8biHxDoTmTRuNaeN6RDyyZJkdON7
-# CnR/8X8y4C9BXdesvjfIdhHZsGwLJcZ87cnYGb7oYqGCA0swggNHBgkqhkiG9w0B
-# CQYxggM4MIIDNAIBATCBkTB9MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRl
-# ciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdv
-# IExpbWl0ZWQxJTAjBgNVBAMTHFNlY3RpZ28gUlNBIFRpbWUgU3RhbXBpbmcgQ0EC
-# EDlMJeF8oG0nqGXiO9kdItQwDQYJYIZIAWUDBAICBQCgeTAYBgkqhkiG9w0BCQMx
-# CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNDA0MjgyMjE0MzdaMD8GCSqG
-# SIb3DQEJBDEyBDARWlO4ZY7Qij7x/efLB7SJrHgfXJwezYW7sskwZhfhnoQ8JQ8Q
-# HfefvIk4nF1+1PkwDQYJKoZIhvcNAQEBBQAEggIAWpBgtEaYVRayRmCTjyOoKg0b
-# 2vXn3dqpcpckspX4t58xHLbhapGm3Akg9N6C0xZWm9qQ9vhjoOeuLZ0Z+017JRUe
-# YExYYIYcyNGlxyt/uXiBst8KiAFFzn6RwIjycQcsnOsGRBAz2E9/k7wGtdg8kqBI
-# Q71cDl+seRjWVcTR4JgthphZuRTKS1Jxn3tjDNJuK+LFo4jL38ojxhhdOnb3xzZ0
-# M1AQ+l2YuDxBX4H9aZsbiTfdI1mxvmPgmZbq4fjV28TUCiBhD1UYuHUPN3Ff9Fwo
-# 9BMbTLvKqED8Mm9A25S4M8kVZsGt8j3EAt0AJaWbdHLpLC0l0ykDAcSiwZNYsdMu
-# vN0q6z5knfhKv4M8FXQ2wu8pbPww7/4kBqqy9L8VMI8UIazG9Z/R7yhkZjEz3jgc
-# a/VZMcsDn41B79/9eSx4wED7NYtc0T6DB8WFH1a2CqlORSHnRolnms+VjWerfmZP
-# a9lV7Sk1gGZ+MePsWwXj7liURI/ubTtPtxWElWuYookkQMmrOJYj+IZCW4RvV3I3
-# utzHUwfbBaON3Mq46ADayLxKP2SE9j3JXpl4mZeWXdYUrywt2TgQktCXT7iZOinl
-# dbx1tso5uDAj1DQDiTm4Nps+UWjyo2bZB/g1ONMqxPDIuY75HryfmJDlvCMp80Tk
-# cJchA5s/dVwNSWKti4Q=
-# SIG # End signature block

share/CMakeLists.txt

@@ -58,14 +58,15 @@ if(UNIX AND NOT APPLE AND NOT HAIKU)
                 EXCLUDE PATTERN "actions" EXCLUDE PATTERN "categories" EXCLUDE)
     endif(KEEPASSXC_DIST_FLATPAK)
     configure_file(linux/${APP_ID}.desktop.in ${CMAKE_CURRENT_BINARY_DIR}/linux/${APP_ID}.desktop @ONLY)
+    configure_file(linux/${APP_ID}.policy.in ${CMAKE_CURRENT_BINARY_DIR}/linux/${APP_ID}.policy @ONLY)
+
     install(FILES ${CMAKE_CURRENT_BINARY_DIR}/linux/${APP_ID}.desktop DESTINATION ${CMAKE_INSTALL_DATADIR}/applications)
+    if("${CMAKE_SYSTEM}" MATCHES "Linux")
+      install(FILES ${CMAKE_CURRENT_BINARY_DIR}/linux/${APP_ID}.policy DESTINATION ${CMAKE_INSTALL_DATADIR}/polkit-1/actions)
+    endif()
     install(FILES linux/${APP_ID}.appdata.xml DESTINATION ${CMAKE_INSTALL_DATADIR}/metainfo)
 endif(UNIX AND NOT APPLE AND NOT HAIKU)
 
-if(APPLE)
-  install(FILES macosx/keepassxc.icns DESTINATION ${DATA_INSTALL_DIR})
-endif()
-
 if(WIN32)
   install(FILES windows/qt.conf DESTINATION ${BIN_INSTALL_DIR})
 endif()
@@ -74,16 +75,28 @@ install(FILES icons/application/256x256/apps/keepassxc.png DESTINATION ${DATA_IN
 
 add_custom_target(icons)
 add_custom_command(TARGET icons
+        POST_BUILD
         COMMAND bash ./icons/minify.sh
         WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
 if(APPLE)
     add_custom_command(TARGET icons
-            COMMAND png2icns macosx/keepassxc.icns icons/application/256x256/apps/keepassxc.png
+            POST_BUILD
+            COMMAND xcrun actool share/macosx/keepassxc.icon
+                --compile share/macosx
+                --output-partial-info-plist /dev/null
+                --app-icon keepassxc
+                --include-all-app-icons
+                --enable-on-demand-resources NO
+                --target-device mac
+                --minimum-deployment-target 11.0
+                --platform macosx
+                --output-format human-readable-text
             WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
 endif()
 
 # ICO for Windows
 add_custom_command(TARGET icons
+    POST_BUILD
     COMMAND bash ./windows/create-ico.sh icons/application/scalable/apps/keepassxc.svg windows/keepassxc.ico
     COMMAND bash ./windows/create-ico.sh icons/application/scalable/mimetypes/application-x-keepassxc.svg windows/keepassxc-kdbx.ico
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})

share/demo.key

@@ -1 +0,0 @@
-secret

share/demo_readme.md

@@ -0,0 +1,3 @@
+This is a demo database to showcase some of the features of KeePassXC
+
+The password to unlock demo.kdbx is: secret

share/icons/application/scalable/actions/arrow-collapse-down.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19.92,12.08L12,20L4.08,12.08L5.5,10.67L11,16.17V2H13V16.17L18.5,10.66L19.92,12.08M12,20H2V22H22V20H12Z" /></svg>

share/icons/application/scalable/actions/database-settings.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 14C9.58 14 7.3 13.4 6 12.45V9.64C7.47 10.47 9.61 11 12 11S16.53 10.47 18 9.64V12.08C18.33 12.03 18.66 12 19 12C19.34 12 19.67 12.03 20 12.08V7C20 4.79 16.42 3 12 3S4 4.79 4 7V17C4 19.21 7.59 21 12 21C12.1 21 12.2 21 12.29 21C12.11 20.36 12 19.69 12 19C8.13 19 6 17.5 6 17V14.77C7.61 15.55 9.72 16 12 16C12.24 16 12.47 16 12.7 15.97C13.1 15.14 13.65 14.41 14.32 13.81C13.58 13.93 12.8 14 12 14M12 5C15.87 5 18 6.5 18 7S15.87 9 12 9 6 7.5 6 7 8.13 5 12 5M22.7 19.6V18.6L23.8 17.8C23.9 17.7 24 17.6 23.9 17.5L22.9 15.8C22.9 15.7 22.7 15.7 22.6 15.7L21.4 16.2C21.1 16 20.8 15.8 20.5 15.7L20.3 14.4C20.3 14.3 20.2 14.2 20.1 14.2H18.1C17.9 14.2 17.8 14.3 17.8 14.4L17.6 15.7C17.3 15.9 17.1 16 16.8 16.2L15.6 15.7C15.5 15.7 15.4 15.7 15.3 15.8L14.3 17.5C14.3 17.6 14.3 17.7 14.4 17.8L15.5 18.6V19.6L14.4 20.4C14.3 20.5 14.2 20.6 14.3 20.7L15.3 22.4C15.4 22.5 15.5 22.5 15.6 22.5L16.8 22C17 22.2 17.3 22.4 17.6 22.5L17.8 23.8C17.9 23.9 18 24 18.1 24H20.1C20.2 24 20.3 23.9 20.3 23.8L20.5 22.5C20.8 22.3 21 22.2 21.3 22L22.5 22.4C22.6 22.4 22.7 22.4 22.8 22.3L23.8 20.6C23.9 20.5 23.9 20.4 23.8 20.4L22.7 19.6M19 20.5C18.2 20.5 17.5 19.8 17.5 19S18.2 17.5 19 17.5 20.5 18.2 20.5 19 19.8 20.5 19 20.5Z" /></svg>

share/icons/application/scalable/actions/entry-delete.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="mdi-close-circle-outline" width="24" height="24" viewBox="0 0 24 24"><path d="M12,20C7.59,20 4,16.41 4,12C4,7.59 7.59,4 12,4C16.41,4 20,7.59 20,12C20,16.41 16.41,20 12,20M12,2C6.47,2 2,6.47 2,12C2,17.53 6.47,22 12,22C17.53,22 22,17.53 22,12C22,6.47 17.53,2 12,2M14.59,8L12,10.59L9.41,8L8,9.41L10.59,12L8,14.59L9.41,16L12,13.41L14.59,16L16,14.59L13.41,12L16,9.41L14.59,8Z" /></svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12,2A10,10 0 0,1 22,12A10,10 0 0,1 12,22A10,10 0 0,1 2,12A10,10 0 0,1 12,2M12,4A8,8 0 0,0 4,12A8,8 0 0,0 12,20A8,8 0 0,0 20,12A8,8 0 0,0 12,4M16,10V17A1,1 0 0,1 15,18H9A1,1 0 0,1 8,17V10H16M13.5,6L14.5,7H17V9H7V7H9.5L10.5,6H13.5Z" /></svg>

share/icons/application/scalable/actions/entry-expire.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9 8H11V14H9V8M13 1H7V3H13V1M17.03 7.39C18.26 8.93 19 10.88 19 13C19 17.97 15 22 10 22C5.03 22 1 17.97 1 13S5.03 4 10 4C12.12 4 14.07 4.74 15.62 6L17.04 4.56C17.55 5 18 5.46 18.45 5.97L17.03 7.39M17 13C17 9.13 13.87 6 10 6S3 9.13 3 13 6.13 20 10 20 17 16.87 17 13M21 7V13H23V7H21M21 17H23V15H21V17Z" /></svg>

share/icons/application/scalable/actions/lock-open-alert.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2"><path d="M22.326 14.864h-2.652v-12h2.652v12m0 5h-2.652v-3h2.652v3Z" style="fill-rule:nonzero" transform="matrix(1.13122 0 0 1 -1.2557 2.1364)"/><path d="M18 8c1.097 0 2 .903 2 2v10c0 1.097-.903 2-2 2H6c-1.11 0-2-.9-2-2V10c0-1.097.903-2 2-2h9V6c0-1.646-1.354-3-3-3S9 4.354 9 6H7c0-2.743 2.257-5 5-5s5 2.257 5 5v2h1m-6 9c1.097 0 2-.903 2-2s-.903-2-2-2-2 .903-2 2 .903 2 2 2Z" style="fill-rule:nonzero" transform="translate(-1)"/></svg>

share/icons/application/scalable/actions/lock-open.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18,8A2,2 0 0,1 20,10V20A2,2 0 0,1 18,22H6C4.89,22 4,21.1 4,20V10A2,2 0 0,1 6,8H15V6A3,3 0 0,0 12,3A3,3 0 0,0 9,6H7A5,5 0 0,1 12,1A5,5 0 0,1 17,6V8H18M12,17A2,2 0 0,0 14,15A2,2 0 0,0 12,13A2,2 0 0,0 10,15A2,2 0 0,0 12,17Z" /></svg>

share/icons/application/scalable/actions/lock.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12,17A2,2 0 0,0 14,15C14,13.89 13.1,13 12,13A2,2 0 0,0 10,15A2,2 0 0,0 12,17M18,8A2,2 0 0,1 20,10V20A2,2 0 0,1 18,22H6A2,2 0 0,1 4,20V10C4,8.89 4.9,8 6,8H7V6A5,5 0 0,1 12,1A5,5 0 0,1 17,6V8H18M12,3A3,3 0 0,0 9,6V8H15V6A3,3 0 0,0 12,3Z" /></svg>

share/icons/application/scalable/actions/proton.svg

@@ -0,0 +1 @@
+<svg viewBox="0 0 128 128" xmlns="http://www.w3.org/2000/svg" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:2"><path d="M22.5 101.382V88.3094c0-9.1756 7.4383-16.6154 16.6154-16.6154l11.528.1398c12.5786 0 21.5115-2.3424 26.7973-7.0258 5.2858-4.6835 7.9851-8.4576 7.9851-16.9566 0-6.1551-1.6287-11.224-4.7734-15.5733-3.0775-4.4165-7.1586-7.3271-12.2445-8.7317-3.2789-.8707-9.334-1.3047-18.1656-1.3047l-9.1856-.1284v28.1362H22.5V4.75l26.1364.1284c9.768 0 17.2292.4682 22.3808 1.4046 7.2271 1.2048 13.2823 3.513 18.167 6.926 4.8847 3.3445 8.7988 8.0622 11.7422 14.1516 3.0119 6.088 4.5735 12.5958 4.5735 19.89 0 12.5115-4.0382 20.301-12.0005 28.9998-7.9623 8.6303-22.9161 12.4345-43.7268 12.4345 0 0-7.5968.1384-8.716.1384-8.4061 0-15.6061 5.2016-18.5566 12.5586ZM22.5 124.2501c0-13.2305 8.192-24.0806 18.5567-24.9993v24.902L22.5 124.25Z"/></svg>

share/icons/application/scalable/actions/remote-sync.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13.03 18C13.08 18.7 13.24 19.38 13.5 20H6.5C5 20 3.69 19.5 2.61 18.43C1.54 17.38 1 16.09 1 14.58C1 13.28 1.39 12.12 2.17 11.1S4 9.43 5.25 9.15C5.67 7.62 6.5 6.38 7.75 5.43S10.42 4 12 4C13.95 4 15.6 4.68 16.96 6.04C18.32 7.4 19 9.05 19 11C19.04 11 19.07 11 19.1 11C18.36 11.07 17.65 11.23 17 11.5V11C17 9.62 16.5 8.44 15.54 7.46C14.56 6.5 13.38 6 12 6S9.44 6.5 8.46 7.46C7.5 8.44 7 9.62 7 11H6.5C5.53 11 4.71 11.34 4.03 12.03C3.34 12.71 3 13.53 3 14.5S3.34 16.29 4.03 17C4.71 17.66 5.53 18 6.5 18H13.03M19 13.5V12L16.75 14.25L19 16.5V15C20.38 15 21.5 16.12 21.5 17.5C21.5 17.9 21.41 18.28 21.24 18.62L22.33 19.71C22.75 19.08 23 18.32 23 17.5C23 15.29 21.21 13.5 19 13.5M19 20C17.62 20 16.5 18.88 16.5 17.5C16.5 17.1 16.59 16.72 16.76 16.38L15.67 15.29C15.25 15.92 15 16.68 15 17.5C15 19.71 16.79 21.5 19 21.5V23L21.25 20.75L19 18.5V20Z" /></svg>

share/icons/application/scalable/actions/reports.svg

@@ -1 +1 @@
-<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="mdi-lightbulb-on-outline" width="24" height="24" viewBox="0 0 24 24"><path d="M20,11H23V13H20V11M1,11H4V13H1V11M13,1V4H11V1H13M4.92,3.5L7.05,5.64L5.63,7.05L3.5,4.93L4.92,3.5M16.95,5.63L19.07,3.5L20.5,4.93L18.37,7.05L16.95,5.63M12,6A6,6 0 0,1 18,12C18,14.22 16.79,16.16 15,17.2V19A1,1 0 0,1 14,20H10A1,1 0 0,1 9,19V17.2C7.21,16.16 6,14.22 6,12A6,6 0 0,1 12,6M14,21V22A1,1 0 0,1 13,23H11A1,1 0 0,1 10,22V21H14M11,18H13V15.87C14.73,15.43 16,13.86 16,12A4,4 0 0,0 12,8A4,4 0 0,0 8,12C8,13.86 9.27,15.43 11,15.87V18Z" /></svg>
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 16V4H8V16M22 16C22 17.1 21.1 18 20 18H8C6.9 18 6 17.1 6 16V4C6 2.9 6.9 2 8 2H20C21.1 2 22 2.9 22 4M16 20V22H4C2.9 22 2 21.1 2 20V7H4V20M16 11H18V14H16M13 6H15V14H13M10 8H12V14H10Z" /></svg>

share/icons/application/scalable/actions/totp-invalid.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M14.47 15.08L11 13V7H12.5V12.25L15.58 14.08C15.17 14.36 14.79 14.7 14.47 15.08M13.08 19.92C12.72 19.97 12.37 20 12 20C7.58 20 4 16.42 4 12S7.58 4 12 4 20 7.58 20 12C20 12.37 19.97 12.72 19.92 13.08C20.61 13.18 21.25 13.4 21.84 13.72C21.94 13.16 22 12.59 22 12C22 6.5 17.5 2 12 2S2 6.5 2 12C2 17.5 6.47 22 12 22C12.59 22 13.16 21.94 13.72 21.84C13.4 21.25 13.18 20.61 13.08 19.92M21.12 15.46L19 17.59L16.88 15.47L15.47 16.88L17.59 19L15.47 21.12L16.88 22.54L19 20.41L21.12 22.54L22.54 21.12L20.41 19L22.54 16.88L21.12 15.46Z" /></svg>

share/icons/icons.qrc

@@ -6,6 +6,7 @@
         <file>application/256x256/apps/keepassxc.png</file>
 
         <file>application/scalable/actions/application-exit.svg</file>
+        <file>application/scalable/actions/arrow-collapse-down.svg</file>
         <file>application/scalable/actions/attributes-copy.svg</file>
         <file>application/scalable/actions/auto-type.svg</file>
         <file>application/scalable/actions/bitwarden.svg</file>
@@ -20,6 +21,7 @@
         <file>application/scalable/actions/database-lock-all.svg</file>
         <file>application/scalable/actions/database-merge.svg</file>
         <file>application/scalable/actions/database-search.svg</file>
+        <file>application/scalable/actions/database-settings.svg</file>
         <file>application/scalable/actions/dialog-close.svg</file>
         <file>application/scalable/actions/dialog-ok.svg</file>
         <file>application/scalable/actions/document-close.svg</file>
@@ -38,6 +40,7 @@
         <file>application/scalable/actions/edit-clear-locationbar-rtl.svg</file>
         <file>application/scalable/actions/entry-clone.svg</file>
         <file>application/scalable/actions/entry-delete.svg</file>
+        <file>application/scalable/actions/entry-expire.svg</file>
         <file>application/scalable/actions/entry-restore.svg</file>
         <file>application/scalable/actions/entry-edit.svg</file>
         <file>application/scalable/actions/entry-new.svg</file>
@@ -55,6 +58,9 @@
         <file>application/scalable/actions/hibp.svg</file>
         <file>application/scalable/actions/lock-question.svg</file>
         <file>application/scalable/actions/keyboard-shortcuts.svg</file>
+        <file>application/scalable/actions/lock.svg</file>
+        <file>application/scalable/actions/lock-open.svg</file>
+        <file>application/scalable/actions/lock-open-alert.svg</file>
         <file>application/scalable/actions/message-close.svg</file>
         <file>application/scalable/actions/move-down.svg</file>
         <file>application/scalable/actions/move-up.svg</file>
@@ -67,8 +73,10 @@
         <file>application/scalable/actions/password-generator.svg</file>
         <file>application/scalable/actions/password-show-off.svg</file>
         <file>application/scalable/actions/password-show-on.svg</file>
+        <file>application/scalable/actions/proton.svg</file>
         <file>application/scalable/actions/qrcode.svg</file>
         <file>application/scalable/actions/refresh.svg</file>
+        <file>application/scalable/actions/remote-sync.svg</file>
         <file>application/scalable/actions/reports.svg</file>
         <file>application/scalable/actions/reports-exclude.svg</file>
         <file>application/scalable/actions/sort-alphabetical-ascending.svg</file>
@@ -84,6 +92,7 @@
         <file>application/scalable/actions/totp-copy.svg</file>
         <file>application/scalable/actions/totp-copy-password.svg</file>
         <file>application/scalable/actions/totp-edit.svg</file>
+        <file>application/scalable/actions/totp-invalid.svg</file>
         <file>application/scalable/actions/trash.svg</file>
         <file>application/scalable/actions/url-copy.svg</file>
         <file>application/scalable/actions/user-guide.svg</file>

share/linux/appimage-apprun.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+export PATH="$(dirname $0)/usr/bin:${PATH}"
+
+if [ "$1" == "cli" ] || [ "$(basename "$ARGV0")" == "keepassxc-cli" ] || [ "$(basename "$ARGV0")" == "keepassxc-cli.AppImage" ]; then
+    [ "$1" == "cli" ] && shift
+    exec keepassxc-cli "$@"
+elif  [ "$1" == "proxy" ] || [ "$(basename "$ARGV0")" == "keepassxc-proxy" ] || [ "$(basename "$ARGV0")" == "keepassxc-proxy.AppImage" ]; then
+    [ "$1" == "proxy" ] && shift
+    exec keepassxc-proxy "$@"
+elif [ -v CHROME_WRAPPER ] || [ -v MOZ_LAUNCHED_CHILD ] || [ "$2" == "keepassxc-browser@keepassxc.org" ]; then
+    exec keepassxc-proxy "$@"
+else
+    exec keepassxc "$@"
+fi

share/linux/org.keepassxc.KeePassXC.desktop.in

@@ -39,7 +39,7 @@ Exec=keepassxc %f
 TryExec=keepassxc
 Icon=@APP_ICON_NAME@
 StartupWMClass=keepassxc
-StartupNotify=true
+StartupNotify=false
 Terminal=false
 Type=Application
 Version=1.5
@@ -47,3 +47,5 @@ Categories=Utility;Security;Qt;
 MimeType=application/x-keepass2;
 SingleMainWindow=true
 X-GNOME-SingleWindow=true
+Keywords=security;privacy;password-manager;yubikey;password;keepass;
+Keywords[de]=sicherheit;privatsphäre;passwort-manager;yubikey;passwort;keepass;

share/linux/org.keepassxc.KeePassXC.policy.in

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+<policyconfig>
+  <vendor>KeePassXC Developers</vendor>
+  <vendor_url></vendor_url>
+  <icon_name>@APP_ICON_NAME@</icon_name>
+  
+  <action id="org.keepassxc.KeePassXC.unlockDatabase">
+    <description>Quick Unlock for a KeePassXC Database</description>
+    <message>Authentication is required to unlock a KeePassXC Database</message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>auth_self</allow_active>
+    </defaults>
+  </action>
+</policyconfig>

share/macosx/Info.plist.cmake

@@ -13,9 +13,11 @@
   <key>CFBundleExecutable</key>
   <string>${PROGNAME}</string>
   <key>CFBundleIconFile</key>
-  <string>keepassxc.icns</string>
+  <string>${MACOSX_BUNDLE_ICON_NAME}.icns</string>
+  <key>CFBundleIconName</key>
+  <string>${MACOSX_BUNDLE_ICON_NAME}</string>
   <key>CFBundleIdentifier</key>
-  <string>org.keepassxc.keepassxc</string>
+  <string>${MACOSX_BUNDLE_IDENTIFIER}</string>
   <key>CFBundleInfoDictionaryVersion</key>
   <string>6.0</string>
   <key>CFBundleName</key>

share/macosx/keepassxc.icon/Assets/macos-comp-bg-green.svg

@@ -0,0 +1 @@
+<?xml version="1.0" encoding="UTF-8"?><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 128 128"><defs><style>.cls-1{fill:none;}.cls-2{fill:url(#radial-gradient-2);mix-blend-mode:lighten;opacity:.7;}.cls-3{fill:url(#radial-gradient);}.cls-4{isolation:isolate;}</style><radialGradient id="radial-gradient" cx="315.9556" cy="395.3416" fx="315.9556" fy="395.3416" r="239.1689" gradientTransform="translate(-46.999 -42.8948) scale(.3539 .2026)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#2e6b26"/><stop offset="1" stop-color="#6ab536"/></radialGradient><radialGradient id="radial-gradient-2" cx="314.1662" cy="394.0804" fx="314.1662" fy="394.0804" r="46.7089" gradientTransform="translate(-46.999 -102.0755) scale(.3539)" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#6ab536"/><stop offset="1" stop-color="#2e6b26"/></radialGradient></defs><g class="cls-4"><g id="Layer_2"><g id="Icon_macOS"><rect class="cls-1" width="128" height="128"/><path id="Background" class="cls-3" d="M63.9999,24.1601c-21.9679,0-39.84,17.8721-39.84,39.8399s17.8721,39.8399,39.84,39.8399,39.8399-17.8722,39.8399-39.8399-17.8719-39.8399-39.8399-39.8399Z"/><path id="Lighten_Hole" class="cls-2" d="M63.9998,27.4724c-6.5434,0-11.8668,5.3234-11.8668,11.8668s5.3234,11.8668,11.8668,11.8668,11.8668-5.3235,11.8668-11.8668-5.3234-11.8668-11.8668-11.8668Z"/></g></g></g></svg>