github paolostivanin/OTPClient v4.4.0
on GitHub

latest release: v4.4.1
5 hours ago

New Features

  • Add cross-desktop search provider for GNOME Shell and KDE Plasma 6 (KRunner). OTP codes are displayed directly in search results and copied via system notification on activation. Can be toggled in
    settings.
  • Add --password-file CLI option to read the password from an external file instead of stdin (thanks @kouta-kun)

Security

  • Harden CLI password input: use read() with gcry_calloc_secure instead of fgets() to prevent password remnants in libc internal buffers. Disable all terminal echo modes and restore state via TCSAFLUSH.
  • Fix under-allocation of secure password buffer for multibyte UTF-8 passwords (g_utf8_strlen returns character count, not byte count)

Bug Fixes

  • Fix copy-paste bug in Authenticator Pro export: "issuer" key was read instead of "label" when building the Username field
  • Fix secure-memory leak in get_otpauth_data: g_file_get_contents overwrote a gcrypt secure-buffer pointer with non-secure memory
  • Fix g_utf8_strdown() memory leak in URI parsing
  • Fix silent guint8 truncation of period/digits values; now validated with range checks
  • Add missing g_set_error() on five error paths in Aegis encrypted backup import
  • Fix salt and key_nonce leak on kdf_derive failure in Aegis export
  • NULL-guard json_string_value() results across URI parsing, Authenticator Pro, and Aegis modules
  • Unify hash type to guint32 in database layer (was mixing guint/guint32, potential issue on ILP64 platforms)
  • Remove duplicate json_object_set() for "secret" key in build_json_obj
  • Replace VLA stack buffers (salt, iv, tag) with heap allocations in get_data_from_encrypted_backup
  • Fix search provider: add missing gcrypt initialization, fix memory leaks, eliminate redundant Argon2id+AES256-GCM cycle in result activation
  • Improve --password-file error handling and terminal detection

Refactoring

  • Modernise application and window layer to GTK idioms: G_DECLARE_FINAL_TYPE, GtkEventControllerKey, configure-event for window-size tracking, proper dispose() for builder ownership
  • Split monolithic activate() into resolve_db_path(), load_db_with_password(), setup_ui_and_timers()
  • Extract config-misc.c/h utility module from window code

Build

  • Breaking: minimum libcotp version bumped to >= 4.0.0 (enum prefix change: SHA1 -> COTP_SHA1, etc.)
  • Improve CMakeLists.txt structure

sha256: 2cfe07aa00eb7f6280fd1e19d0448a448700b2707f1554c2d0ddead993d824a8

Check out latest releases or
releases around paolostivanin/OTPClient v4.4.0

Don't miss a new OTPClient release

NewReleases is sending notifications on new releases.

Get notifications