Closed unicorn855 closed 1 month ago
strongbox-mark
commented
1 month ago That does sound strange, maybe worth completely removing and reinstalling Strongbox. Then re-add your database. Don't think it'll be anything to do with KeePassXC, especially if Strongbox was the last App to save your database with your physical YubiKey.
Also, are you using a key file?
unicorn855
commented
1 month ago Good morning! Well, I wasn't saving my db in strongbox last, I just opened it there and that worked fine with the physical yubikey while it didn't work with the virtual key. I was last saving the db in the current version of KeePassXC, and since doing that, I didn't need to auto-fill until yesterday, so I just noticed the issue yesterday. I have never used a key file with this db. The thing which has me puzzled is, why is this happening now when it was working perfectly fine before? I updated strongbox on an older iPad as well and there it's working fine but this still has an older version of my database (one I didn't save in the latest version of KeePassXC). Thank you for the suggestion though, I'll backup all my databases and remove/reinstall strongbox, then recreate the virtual hardware key and see if that helps :-) Will removing and reinstalling cause issues with my license or will it find that again automatically btw?
Edit: I will first make/save changes to the database in strongbox and test if I can then open/use this version with the virtual hardware key.
Edit #2: Very curiously, after making a random change in my database (adding a note to an entry) and then saving it in strongbox, opening the database with the auto-fill virtual hardware key works perfectly fine again. So, whatever causes this seems to be related to any changes made to KeePassXC in either of the last two versions, hmmmm ๐ค
Do you think I should reference this here issue with them or do I better open a new issue over at their own GitHub repo?
Either way, thanks for the swift reply and idea :-)
Have a good rest of your week/long weekend! ๐๐
strongbox-mark
commented
1 month ago Oh that's very very strange, I don't even know if that's possible in principle... Are you 100% sure about the KeePassXC interaction causing this? I'd triple check that (make sure you're working with the latest version of the database if you're using a remote cloud/server sync) before raising it on their side. I haven't checked the release notes for KeePassXC, but you could check to see if they mention anything YubiKey related.
Have a great weekend too!
unicorn855
commented
1 month ago Well, I am using OneDrive to synchronise my database and after this morning's edit via Strongbox, I refreshed the OneDrive connection to make sure I am pulling this morning's version of the db on all devices before testing auto-fill/virtual hardware key unlocking on an iPad and it worked there as expected. Also I checked the release notes for version 2.7.7 and 2.7.8 for KeePassXC, with 2.7.7 mentioning adding a hot plugging functionality for usb security keys as well as various passkey-related changes. I therefore assume that some of those changes cause a breakage to happen somewhere. Interestingly, this only concerns the virtual hardware keys, not the actual physical keys and it only happens with db's saved in either of those two version numbers of KeePassXC, curious. ๐คจ Perhaps I should open a general issue over at the KeePassXC repository and see if someone there has ideas to then develop a solution/provide input as needed :-)
strongbox-mark
commented
1 month ago Thanks @unicorn855 - When you say it only happens with 2.7.7 and 2.7.8, does that mean you've tried the same experiment with say 2.7.6 or earlier and you can't reproduce the issue?
I am trying to imagine how this could be possible and I'm coming up blank. The Virtual Hardware just executes a HMACSHA1 in the very same way as your physical YubiKey so there should be no difference.
BTW, just to answer your other questions, your license will restore automatically as long as you use the correct Apple ID. This is extremely unlikely to have anything to do with Stolen Device protection. It's also v unlikely to have anything to do with KeePassXC Passkey changes, these would be a layer above the database encryption.
I just want to make sure you're not making any mistakes in your experiments before I can dedicate some time to this. So, please be 100% sure you're using the right database and KeePassXC versions etc. Double check the mod date on your database file every time so it's not a sync issue.
unicorn855
commented
1 month ago Hi @strongbox-mark ,
Since KeePassXC doesn't let me downgrade versions, I can't test to see if this problem is reproducible in earlier versions of the program once the database has been saved in either 2.7.7 or 2.7.8 However, I am reasonably certain the problem is connected to either of those versions because it never happened before at all, and I am continuously unlocking/auto-filling my database basically daily. Also, I am sure it's not a sync issue because I keep checking the modification date on the database file to make sure I use the current one. Hmmm ๐ค
strongbox-mark
commented
1 month ago Thanks. Are you able to verify this on say a brand new database that you create? I will try to take a look in the coming weeks if so.
unicorn855
commented
1 month ago Interestingly, when trying to unlock a database freshly created in the most recent version of KeePassXC opens without issues when using the virtual hardware key. I am not sure what's going on here but perhaps there was a sync issue with OneDrive before, where it would not write correctly (but then, why did that potentially partly corrupted db open fine with the physical hw key?). I will make a few more changes to my original db and see if it keeps working fine and edit this comment with the results :-)
Edit: Everything keeps working fine so far, very strange indeed ๐ค perhaps I just needed to refresh my OneDrive session, but wouldn't strongbox give any indication if a database was broken/corrupted?
strongbox-mark
commented
1 month ago Very very hard to say what's up here, but in the absence of other reports and your current experience it could be any kind of Heisenbug/Regular bug or some kind of weird stale sync issue. We always need to be able to regularly reproduce an issue before we can fix it
unicorn855
commented
1 month ago Heh, who knows, but at least it's a good thing everything works as expected again :-) Thanks again for taking the time to look at/read through all this anyway ๐๐
Preliminaries I have ensured that:
Versions
On iOS:
Strongbox Version
Describe the bug When attempting to Auto-fill, strongbox complains that my credentials are incorrect (I am using a virtual Hardware key configured for use with auto-fill only). However, when opening the same database 'normally' in strongbox (with the physical hardware key), I can open the database without problems. I have recreated a fresh virtual hardware key with the correct HMAC secret and restarted the iPhone and the issue still persists.
To Reproduce Steps to reproduce the behavior:
Expected behavior Database should unlock given the correct credentials are provided.
Additional context Could this perhaps be related to any changes introduced in the most recent version of KeePassXC? I only noticed this behaviour after updating to version 2.7.8 yesterday (and subsequently refreshing my db file in Strongbox).
Edit: Do you know if disabling virtual security keys is a feature of Apple's Stolen Device Protection? Upon further reflection I remembered turning this on (and setting it to always be enabled) a few days ago (and since then I didn't need to log into anything on the phone, so I might not have noticed).
Edit#2: After disabling Stolen Device Protection, the issue still persists, so this seems unlikely to be related. Also, I just updated to 1.59.10 with no change either.