Passbolt release notes, find out what's new.

v1.6.7 ~ Superstition

Release date: October 13, 2017.

This release ships with a vulnerability fix for a medium level vulnerability issue found by Juan Wajnerman. Your web extension will be updated automatically unless you have disabled updates (you shouldn’t).

This vulnerability was introduced in order to allow users to continue the setup even if they close the browser window. While improving the user experience, the tradeoff of this feature is that all information collected during setup (including the passphrase if the user generated a key) is leaked in the browser local storage, until the setup is completed and the data flushed. An attacker with privilege on the file system could capture the passphrase during the setup using this method. In all fairness, if an attacker has access to the file system, the user has probably more problems at hands.

Security and usability is always a fine balance to reach. In this case we decided that the usability benefits do not outweigh the security considerations and decided to remove the feature in order to reduce information leakage.

You can learn more about the issue here. A big thanks to Juan Wajnerman for his report!

Browser extension

  • PASSBOLT-2455: Fix setup should not use browser storage to temporarily store private key.
  • PASSBOLT-2452: Fix broken template on stage0 missing server key.

"Superstition ain't the way"

v1.6.6 ~ Relight My Fire

Release date: October 2, 2017.

With this release passbolt extension drops the old Firefox SDK and switch to native web extension. While it took the team a little bit more time than planned to migrate, this new architecture offers advantages in terms of performance and security.

We also used the occasion to fix two small issues, including one reported by Tomasz Kontusz. Our main focus now is the finalization of the migration to Cakephp version 3. The next release will end this maintenance cycle and allow us to focus on new features.

Thank you for your patience and support!

Browser extension

  • PASSBOLT-2419: Remove FF legacy extension support
  • PASSBOLT-2423 / GITHUB-175: Fix missing template when recovering an account
  • PASSBOLT-2425: Fix Chrome 61 parsing issue with minified version of jquery

"Turn back the time to the days when our love was new"

v1.6.5 ~ September

Release date: September 14, 2017.

This release ships with important bug fix for a severe vulnerability issue found by security researcher Sumit Sahoo. Please update your passbolt production instance(s) if any.

Because of this vulnerability, a malicious member of your organization could craft a resource url and share it with one or more victims on the same passbolt instance. By clicking on the malicious url, the victim will run an arbitrary javascript defined by the attacker. This can lead to data integrity or availability issues. The confidentiality of passwords and private key is not affected since they live in a separate javascript sandbox (e.g. the browser web extension). You can learn more about it in the CVE report.

This release also improves the health check by adding detection of installation errors such as permission issues in the cache folders or testing the GPG setup with encryption and decryption operations. This release also includes some more improvements on the validation rules.

We are also glad to announce that the Firefox plugin 1.6.5 will be the last legacy version (with embed webextension to enable data migration). It is available on the stable channel for install.

If you were using the Firefox plugin that was distributed on the dev channel, you can shift back to the stable channel by deactivating your current plugin, and enabling the stable version

switch to stable version

A special thanks to Phillip and Erosman from Mozilla addon review team for their help in reviewing this plugin, and to Sumit Sahoo for the vulnerability report.

Passbolt API

  • PASSBOLT-2383: Add + and \ to the list of allowed characters for the Resource fields: name, username and description
  • PASSBOLT-2371: Force the charset of the cake_sessions table in utf8
  • PASSBOLT-2325: As system administrator I shouldn't be able to execute passbolt CLI commands as root
  • PASSBOLT-2397: As system administrator I should see in the healthcheck if app/tmp content and app/webroot/img/public content are writable
  • PASSBOLT-1991: As system administrator I should see in the healthcheck if the server key can be used for encrypting/decrypting
  • PASSBOLT-2409: Noopener on resource url in password workspace
  • PASSBOLT-2402: XSS on resource url in password workspace

Browser extension

  • PASSBOLT-2386: Fix login message
  • PASSBOLT-2386: Fix group edit / resource share as per amo reviewers
  • PASSBOLT-2386: Mark legacy addon as compatible with multiprocess
  • PASSBOLT-2386: Implement amo reviewers recommendations
  • PASSBOLT-2386: Remove data/js/debug from non debug builds version

"While chasing the clouds away"

v1.6.4 ~ Give Me The Night

Release date: August 31, 2017.

This small maintenance release limit the number of web accessible resources in the plugin as suggested by the Mozilla addon reviewers as well as some other code clean up in the plugin related to Javascript promises.

Thanks to the Mozilla addon review team for their suggestions for this release.

Passbolt API

  • PASSBOLT-2358: As a user registering on the demo instance I must click on a checkbox to confirm I understand the disclaimer

Browser extension

  • PASSBOLT-2344: Remove content scripts from web accessible resources
  • PASSBOLT-2352: Webextension should not use defer, use native promise instead
  • PASSBOLT-2350: Move grunt-passbolt-ejs-template-compile as node module
  • PASSBOLT-2370: Plugin upgrade openpgpjs to 2.5.10

"Because there's music in the air"

v1.6.3 ~ Feeling Good

Release date: August 21, 2017.

This maintenance release fixes the github issue #124 that affected organizations with large user base. With this fix it is now possible to share a password with more than 200 users.

Screenshot of the encrypt progress dialog fig. sharing password with 300 users

This version also contains a small but valuable user experience improvement for administrators: users that have not completed the setup will be shown in the workspace as 'Activation pending'. It becomes easier for administrators to organize a follow up when on-boarding new collaborators.

Screenshot of the user workspace with inactive users fig. users pending activation

As suggested by the Mozilla addon reviewers we also removed the need for 'unsafe-eval' content security policy, in order to tighten security even further in the web extension. This does not mean that the previous versions had known security issues, since we used eval to render the EJS templates in a safe fashion already (e.g. EJS escape the variables by default to prevent XSS attack). Still, we are committed towards taking every possible step to improve passbolt security.

Thank you to @erosman from Mozilla addon review team, @tomofumi0003, and Helder Martin for their suggestions and contributions to this release.

Passbolt API & Extension

  • PASSBOLT-2282: As admin on the user workspace I can see which users have not completed the setup
  • PASSBOLT-2316: Merge the selenium & phpunit dummy data sets
  • PASSBOLT-2317: Speed up dummy secret creation task
  • PASSBOLT-2327: Add a large set of dummy data for performance testing

Browser extension

  • PASSBOLT-2269: As LU I can encrypt a secret for more than 200 people #GITHUB-124
  • PASSBOLT-2318: Remove unsafe-eval from CSP
  • PASSBOLT-2318: Precompile EJS templates using grunt-passbolt-ejs-compile task
  • PASSBOLT-2346: Plugin upgrade openpgpjs to 2.5.9

"Sleep in peace when day is done: that's what I mean..."

v1.6.2 ~ BoomBoom

Release date: August 12, 2017.

This release is a maintenance release, with a few bug fixes and some additional settings to manage email notifications.

The bulk of the work for this release was the migration for firefox, from the soon deprecated SDK plugin format to the new webextension format. Quite a bit of work went into upgrading the selenium testsuite and providing a fully transparent data migration from the old to the new format. This is why this version is still running as a “legacy” plugin, with all the code embedded as a webextension, to make sure users have nothing to do to migrate. However please make sure your users upgrade to this version this month, otherwise they may need to perform an account recovery with the next version. Fret not, because unless they have disabled automatic update, the only thing firefox user need to do to update is to have the browser running.

As a passbolt instance administrator I can find new settings manage email notifications in config/default.php under EmailNotification. If you want to override the default you can copy/paste them to your own app.php configuration. With these settings you can for example disable notifications when a user is added to a group, or when a password is deleted. It also allows to change the content of the notification and hide the username and/or the encrypted secret.

Thank you to @bluenetinc, @poeticode and @technogenus for their suggestions and contributions to this release.

Unless there is an issue with the 1.6.2, our next API release will be version v2.0, with an upgrade to Cakephp v3.

Passbolt API & Extension

  • PASSBOLT-2270: Fix modified_by not set on resource edit regression
  • PASSBOLT-2271: Fix no wrap issue on resource description
  • PASSBOLT-2284: GITHUB-98: As an administrator I can set which notifications are enabled for my organization
  • PASSBOLT-2284: GITHUB-114: As an administrator I can prevent encrypted secret or username to be sent in email notifications
  • PASSBOLT-1943: As an administrator I should not be able to install passbolt on a hostname that is not RFC3986 compliant
  • PASSBOLT-1937: As an administrator I should not be be able to install passbolt with a server key without an email id
  • PASSBOLT-2002: Refactor install script to reuse healthcheck library
  • PASSBOLT-2301: GITHUB-142: Remove additional slashes in passbolt.js urls such as model/users::find

Browser extension

  • PASSBOLT-2198: Migrate from Firefox legacy SDK to embed/native webextensions
  • PASSBOLT-2254: Add log system to grab selenium tests traces
  • PASSBOLT-2210: Update Grunt build tasks
  • PASSBOLT-2200: Update to OpenPGP.js version 2.5.8
  • PASSBOLT-2069: Update to JQuery version 3.2.1
  • PASSBOLT-2248: Migrate from window.localStorage to chrome.storage on chrome
  • PASSBOLT-2283: Migrate from simplestorage to chrome.storage on firefox

"When ya walk that walk"

v1.6.1 ~ Fresh

Release date: July 26, 2017.

Thanks to this new release it is now possible to filter passwords by groups. It becomes easier to see which password belong to which groups. Of course, to see the groups in the sidebar, one will first need to be part of that group.

Similarly, in the user workspace, it is now possible to see which groups a user is member of in the right sidebar, when selecting a collaborator. Two new email notifications have been implemented, when your role in a group changes, or if you are the group manager, when a user is deleted.

a screenshot of the user workspace

fig. group filters on the user workspace

This release also introduces a series of small improvements requested by the community, mostly to relax the validation rules for the password username and descriptions fields. And, of course, a small batch of bug fixes.

We have also updated the product roadmap page to give some more details about the projected delivery dates. We are currently working on the firefox addon to implement the new web extension standard, as well as upgrading the underlying framework of the API.

Thanks to ftx and rguillome for their contributions, and to chenz67r, lcpdn, mikemix, wishmedia and glebaccon for their suggestions for improvements.

Even though this is a minor version there is a small optional migration script that you can run to fix anonymous statistics. Please checkout out the relevant online help section for more information on how to perform this operation.

Passbolt API & Extension

New features

  • PASSBOLT-2147: As a group member I should receive a notification when my role in the group has changed
  • PASSBOLT-2148: As a group manager I should receive a notification when a user who is part of one (or more) groups I manage is deleted
  • PASSBOLT-2133: As LU I should be able to filter passwords by group on the passwords workspace
  • PASSBOLT-2012: As a user I can see which groups a user is a member of from the sidebar

Fixed bugs & cleanups

  • PASSBOLT-2225: As a demo user it should be explicit that I need to use a throwaway email account
  • PASSBOLT-2171: The group list component should be marked as ready once the API request is completed
  • PASSBOLT-2172: Newly added group manager shouldn't receive the group update summary notification
  • PASSBOLT-2174: Edit group dialog should be marked as ready if an admin edit a group the admin is not group manager
  • PASSBOLT-2155: As AD I shouldn't be able to delete as user if the user is the sole group manager of a group
  • PASSBOLT-2075: Users should be removed from the groups they are member of after a soft delete operation
  • PASSBOLT-1934: GITHUB-40, GITHUB-120: As a user I should be allowed to add the a ldap path as username
  • PASSBOLT-2156: GITHUB-94: As a user I should be allowed to add text in JSON format in the description
  • PASSBOLT-2122: GITHUB-85: Username should be Minimum 1 characters in length (and not 3)
  • PASSBOLT-2180: GITHUB-85: As a user I should be allowed to add a space in a resource username
  • PASSBOLT-2125: GITHUB-86: As a logged in user creating/editing a password I should be able to use new line characters in the description
  • PASSBOLT-2188: As LU when I search for a user it shouldn't make an API request
  • PASSBOLT-2234: As newly added GM I shouldn't receive the group update summary when I'm just added as GM
  • PASSBOLT-2235: As AD editing a group the dialog shouldn't be marked as ready until the members list is loaded
  • PASSBOLT-2105: Anonymous statistics: fix "Warning Error: file_put_contents" issue at installation
  • PASSBOLT-2005: PR#44: Update allowed characters in a uri

"She'll take you by surprise"

v1.6.0 ~ Let's groove

Release date: June 21, 2017.

This release is mainly about shipping some of the missing "groups" features such as the email notifications. You will also find a few bug fixes, and an improvement in the default email configuration for those of you who use TLS authentication.

It was also the occasion to update our docker container. We fixed a few bugs and added email support.

A big thank to all of you who tested and reported bugs for this release, especially Klugemara and Tomasz Kontusz.

How to upgrade: this version requires your passbolt instance administrator to run a migration script. Please checkout out the relevant online help section for more information on how to perform this operation.

Passbolt API & Extension

New features

  • PASSBOLT-2099: As a user I should receive a notification when I am added to a group
  • PASSBOLT-2100: As a user I should receive a notification when I am deleted of a group
  • PASSBOLT-2102: As a group manager I should receive a notification when another group manager added a user to a group I manage
  • PASSBOLT-2103: As a group manager I should receive a notification when another group manager removed a user from a group I manage
  • PASSBOLT-2140: As a group manager I should receive a notification when another group manager changed the role of a user of a group I manage
  • PASSBOLT-2138: The TLS parameter should be part of the default email configuration

Fixed bugs & cleanups

  • PASSBOLT-2044: As an admin I shouldn’t be able to delete a user who is the sole owner of passwords shared with others
  • PASSBOLT-2078: As GM/AD I shouldn't be able to add a user who didn't complete the registration process to a group I edit/create
  • PASSBOLT-2111: As an admin I should be able to install passbolt under mydomain.tld/passbolt
  • PASSBOLT-2142: As an admin I should not see multiple ASCII banner when running the install script
  • PASSBOLT-1959: As LU when I unshare a password with a user or a group, associated secrets should be destroyed
  • PASSBOLT-1954: Security: Trackable behavior should override created_by and deleted_by when provided
  • PASSBOLT-2078: As GM/AD I shouldn't be able to add a user who didn't complete the registration process to a group I edit/create

Passbolt docker container

New features

  • Added email set up support though environment variables
  • Added cronjob to send queued emails
  • Automated builds on the docker hub

Fixed bugs

  • Image build was failing when using alpine:latest. Switched to alpine:3.5
  • Deletion of passwords on docker image
  • Avoid importing already imported secret keys on the gpg keyring

"Share the spice of life."

v1.5.1 ~ Grapevine

Release date: May 23, 2017.

With this release we are very pleased to announce the beginning of the groups feature support in passbolt. You can learn more about it in the dedicated blog post or the summary below.

Birds taking off.

How to upgrade: this version requires your passbolt instance administrator to run a migration script. Please checkout out the relevant online help section for more information on how to perform this operation.

Prior to this version, users needed to be added one by one when sharing a password.  Because there was no group support functionality, if you were working with a lot of collaborators, the exercise was quite time consuming. This new release finally solves this pressing issue.

Groups screenshot. fig. sharing a password with a group

We also used this opportunity to do some very much needed cleanup on our API and refactor some parts of the code. We also fixed a few bugs and improved the health check which is now accessible in command line.

$ ./app/Console/cake passbolt healthcheck

A big thanks to Virtua, for their generous sponsor of this release. We’d also like to thank the other community members who dedicated some of their time to help: Didier Raboud, Zákaznícka Podpora, Peter Brilla, David Ducatel, Julien Guerder and Laura Hilliger.

Passbolt Extension & API (v1.5.0 / v1.5.1)

New features

  • PASSBOLT-1950: As a user I can see which groups a password is shared with from the sidebar
  • PASSBOLT-1953: As a user I can share a password with a group
  • PASSBOLT-1940: As a user when editing a password for a group, the secret should be encrypted for all the members
  • PASSBOLT-1639: As a user editing a password description in the right sidebar should not get duplicated items in shared with section
  • PASSBOLT-1938: As a user I can browse the list of groups in the groups section of the user workspace
  • PASSBOLT-2000: As a user I can see which users are part of a given group from the sidebar and the users section
  • PASSBOLT-1960: As a user I can see the list of users that are part of the group in the users grid by using the group filter
  • PASSBOLT-1838: As a group manager I can edit the membership roles
  • PASSBOLT-1838: As a group manager I can add a user to a group
  • PASSBOLT-1838: As a group manager I can remove a user from a group using the edit group dialog
  • PASSBOLT-1969: As a group manager I can edit a group from the contextual menu and from the groups sidebar
  • PASSBOLT-1969: As a group manager I can see which users are part of a given group from the group edit dialog
  • PASSBOLT-2000: As a group manager I can see which users are part of a given group from the sidebar and the users section
  • PASSBOLT-2006: As an administrator I can delete a group from the group contextual menu
  • PASSBOLT-1969: As an administrator I can edit a group
  • PASSBOLT-2006: As an administrator I can delete a group
  • PASSBOLT-1955: As an administrator I can create a group using the new button in the users workspace
  • PASSBOLT-1939: As an administrator the healthcheck should be accessible in command line
  • PASSBOLT-1943: As an administrator the healthcheck should tell if not using a proper domain name as base url
  • PASSBOLT-1943: As an administrator the healthcheck should tell if SSL certificate is invalid
  • PASSBOLT-1885: As an administrator the healthcheck should tell if the full base url is not reachable
  • PASSBOLT-1838: Add v1.5.0 migration script
  • PASSBOLT-1881: Add support for groups in the permission system
  • PASSBOLT-1952: Add support for groups in the fixtures
  • PASSBOLT-1928: Deploy styleguide with groups support

Fixed bugs & cleanups

  • PASSBOLT-1908: Fix memory leak with openpgp webworker initialization
  • PASSBOLT-2070: Delete unused code / exclude external libs from coverage
  • PASSBOLT-2071: Drop exec bits from files which don’t need them (@OdyX GITHUB-67)
  • PASSBOLT-2073: As AP I should see a warning on the login page if the plugin and the api are not compatible
  • PASSBOLT-2029: PHP7 compatibility, fix deprecated cakePHP String class calls (@leomazzo GITHUB-64)
  • PASSBOLT-2074: Delete confirmation dialogs should fit the latest styleguide
  • PASSBOLT-1614: Abstract user/password grid functions into the mad framework grid library
  • PASSBOLT-1571: API query string filters: better naming conventions and implementation
  • PASSBOLT-1915: Remove legacy references related to old user passwords
  • PASSBOLT-1761: Remove legacy references to throttle login
  • PASSBOLT-1268: Remove legacy dictionary controller
  • PASSBOLT-1268: Use exceptions instead of message component errors and misc refactoring
  • PASSBOLT-2036: Fix travis database configuration issue
  • PASSBOLT-2037: Schema should allow resources fields username and uri to be null
  • PASSBOLT-2038: Travis support for PHP 5.4.

"I heard it through the grapevine..."

v1.4.0 / v.1.4.3 ~ Cry to Me

Release date: February 16, 2017.

As you may have noticed this release was interrupted by the incident related to the release of chrome v56 that made passbolt extension unstable. You can read more about it in the incident report . The situation is under control thanks to a series of fixes, even though we are still looking forward a long term fix from the Chromium team.

oops, something went wrong (with Chrome 56)

Apart from this, this release is mostly here to ease the groups feature rollout and fix the bugs reported by the community. Some notable changes: mysql v5.7 is now supported natively without any configuration tweaks. You can also now create an account with the same username as an account that was previously deleted, you can also use GPG keys that contain multiple identities. This release requires your database schema to be updated (see. update process in the documentation).

A big thank you to all of you who helped us test for this release especially Thomas Oberndörfer from Mailvelop, and Bart Butler from Proton Mail for helping us out with Chrome v56 crash issue.

Passbolt Extension (v1.4.3)

Fixed bugs

  • PASSBOLT-1909: updated openpgpjs to latest version: 1.3.7. (@pomarec GITHUB-11)
  • PASSBOLT-1905 / PASSBOLT-1907: Temporary fixes for chrome 56 crash bug.
  • PASSBOLT-1850: Minor spelling and grammar fixes (@colin-campbell GITHUB-5)
  • PASSBOLT-1807: Fix parsing issues with keys that have multiple identities

Passbolt API (v1.4.0)

Fixed bugs & cleanups

  • PASSBOLT-1511: removed tracking of config file Config/email.php (@BaumannMisys GITHUB-34)
  • PASSBOLT-1835: As a user I should be able to create an account with the same username as an account that was previously deleted (@bestlibre GITHUB-33)
  • PASSBOLT-1646: Permissions views and queries do not work with Mysql57 / only_full_group_by enabled (GITHUB-20)
  • PASSBOLT-1863: Remove references to legacy features Category and Tags
  • PASSBOLT-1883: Fix wrong usage of the permission entry point viewByAco
  • PASSBOLT-1887: Remove the entry point PermissionController::simulateAcoPermissionsAfterChange
  • PASSBOLT-1886: Remove the controller component PermissionHelperComponent
  • PASSBOLT-1888: Remove the model behavior function PermissionableBehavior::getUsersWithAPermissionSet
  • PASSBOLT-1889: Remove references to legacy models and tables (AuthenticationLogs, AuthenticationBlackList, Email, Address, PhoneNumber)
  • PASSBOLT-1890: Clean the Permission model validation functions & augment coverage
  • PASSBOLT-1894: Reorganize ACL models tests
  • PASSBOLT-1896: Remove references to legacy permission types CREATE and DENY

"You don't ever have to walk alone."

v1.3.2 ~ Short Change Hero

Release date: January 16, 2017.

Participate to the design review!

We are very pleased to share with you wireframes for the groups feature (also called team management functionality). We invite you to have a look at the blueprints on medium, and then complete a short survey. Your feedback is very valuable to us, it will help ensure this new major improvement will fit the needs of most of passbolt users.

In other news, we also have a very small release for you, with two bug fixes. We have removed the limit on the passphrase size. You can now create a master password that is longer than 50 characters.

A big thank to all of you who tested and reported bugs for this release, especially Paul Sanders & Josh Belden.

Icon credit: remix from "teamwork" by Creative Stall CC BY-SA

Passbolt API & Extension

Fixed bugs

  • PASSBOLT-1827: As a user I should be able to log in with a passphrase longer than 50 chars in length.
  • PASSBOLT-0811: Error message look and feel is not consistent on register and recover screens.
  • PASSBOLT-1809: As a developer I should be able to generate the chrome zip distribution file.

"This ain't no place for no hero."

v1.3.1 ~ The World

Release date: January 3, 2017.

What a better way to start 2017 than with a maintenance release? You guessed it, this new year release is mainly about bug fixes. We also upgraded the API to the latest CakePHP version (v2.9.4) as well as the associated modules, which will improve even further the compatibility of passbolt with PHP v7.

Also, not listed here, we started working on the specifications for the group/team feature. We hope to share this document for your input in the coming weeks, before we start building.

Thank you all for your continued support, especially all of you who reported bugs: @K0n24d, Chad, Kyle, Travis, Amos, Nicolas, Dave, @Patpr0.

Have a great 2017!

Passbolt API

Fixed bugs & new features

  • PASSBOLT-1758 As LU sharing a password I should be able to filter users based on first name and last name
  • PASSBOLT-1779 Remove debug statement
  • PASSBOLT-1585 As AN I should be allowed to register if my lastname or firstname are 2 chars in length
  • PASSBOLT-1783 Form validation and translation: malformed error messages
  • PASSBOLT-1619 As AP I should not be allowed to recover my account if I have not completed the setup first
  • PASSBOLT-1767 As a AD installing passbolt I should be told if webroot/img/public is not writable
  • PASSBOLT-1793 Upgrade to CakePHP v2.9.4
  • PASSBOLT-1784 GITHUB-29 PHP7 compatibility issue in migration console tasks
  • PASSBOLT-1790 Fixed update context sent by anonymous usage statistics

Passbolt Browser Extension

Fixed bugs & new features

  • PASSBOLT-1606 Wrong message when auto logged out and passbolt is not the active tab
  • PASSBOLT-1769 Refactor extension bootstrap, prepare code to welcome future features
  • PASSBOLT-1759 Share: autocomplete list will appear even when there is no text entered in the search
  • PASSBOLT-1760 Share: image is broken in the autcomplete list after user has changed it
  • PASSBOLT-1566 Share autocomplete html is not valid
  • PASSBOLT-1778 Simplify toolbarController openPassboltTab function
  • PASSBOLT-1680 Increased the limit to 4096 chars for password field
  • PASSBOLT-1657 As AP I should not be able to complete the recovery process with my public key

"I'm just trying to give you guys the best of my soul. That's all I'm about."

v1.3.0 ~ California Soul

Release date: November 24, 2016.

Chrome Web Store Let's get started!

This release marks the beginning of passbolt support on the chrome browser. You can now download the passbolt extension on the google store. Special thanks to Diego, Lilian and Shruti who helped us test the prototypes!

While we have tried our best to vet the chrome extension thoroughly, some bugs might still be present. Feel free to report them on github or by sending us an email.

Recover an account

Did you know? You can switch from Firefox to Chrome and vice versa using the recover account functionality. Fill up the form with your email address, follow the link, import your private key and you are good to go!

Another change introduced in this release is the anonymous usage statistics. This feature, turned off by default to respect your privacy, will send anonymous usage reports to passbolt.com every time you install or update the API application. These reports are needed to help us get a better sense of the usage of passbolt in the wild.

Our next big step includes locking down the specifications for the group feature. We are also working on organizing an independent code review. If you would like to help us with this, please take a few minutes to nominate passbolt for The Secure Open Source Mozilla program!

MOSS Open Source Security Nominate passbolt now!

Passbolt API

Fixed bugs & new features

  • PASSBOLT-1726 Implement anonymous usage data
  • PASSBOLT-1725 Misc changes for Chrome support
  • PASSBOLT-1721 SSL detection not working in healthcheck (thanks @patpro!)
  • PASSBOLT-1708 Accept JSON data content type for HTTP PUT during setup

Passbolt Browser Extension

Fixed bugs & new features

  • PASSBOLT-1725 Chrome support
  • PASSBOLT-1708 Refactor Request get and post to use fetch

"They had the melody and the beat, but it still didn't seem complete"

v1.2.1 ~ Papa Was A Rolling Stone

Release date: October 19, 2016.

A quick hotfix for a small regression introduced on email validation on the add user screen with v1.2.0. The validation rule was not accepting emails such as a.d@a.org.

This regression was due to compatibility issues between PHP and Javascript regular expression format. We have updated our javascript test suite to make sure it won't happen again.

Our thanks to @silvaireboivert for testing and reporting the issue!

Passbolt API

Fixed bugs

  • PASSBOLT-1719 GITHUB-14 The "." is not allowed in email address field
  • PASSBOLT-1525 Remove unused controllers and components
  • PASSBOLT-1718 Tidy up readme and contribution guidelines

"I never got a chance to see him, never heard nothin' but bad things about him"

v1.2.0 ~ Won't be long

Release date: October 16, 2016.

This release took a little bit more time than expected, because a lot of good things have happened since August. As you may have noticed, passbolt has been selected by Luxinnovation the Luxembourg public agency for innovation to take part of their acceleration program. The good news, apart from the project financial viability on the short term, is that some of us should be moving full time on the project in the next few months.

Regarding improvements on the product side, we focused on the issues you reported on Github such as allowing the '+' char in the email address field, increasing the size of the URL and description fields. We also fixed a critical bug that occured during the setup, where the downloaded private key were actually empty (see side note).

Because of these changes you will need to run a small migration script if you already have v1.1.0 installed and running. Make sure you make a backup before running it! You can find more information below these release notes.

Last but not the least, we spent some time on the Chrome plugin project and doing structural changes on the Firefox plugin that will allow us to reuse more or less the same code base for both browser. We also worked on improving the way we run our automated tests, enabling them to run on saucelabs, but also going from an execution time of 1h 30m down to 15min using some parallelization magic!

A big thank you for everyone who spent some much valuable time to test and report bugs: veisis, LegendPG, infectormp and Imami.

Passbolt API

Added improvements

  • PASSBOLT-1706 GITHUB-18 Resource Description length is too short, should be 10K characters
  • PASSBOLT-1658 GITHUB-18 Resource URI length is too short, should be 1024 characters
  • PASSBOLT-1637 GITHUB-14 The "+" is not allowed in the email address field while adding a new user
  • PASSBOLT-1525 Test coverage for SetupControllerTest & CakeErrorController
  • PASSBOLT-1694 Default config change: debug should be set to 0
  • PASSBOLT-1660 Refactoring to simplify Chrome plugin development
  • PASSBOLT-1649 Adjusted coveralls markup
  • PASSBOLT-1648 Upgrade to Cakephp 2.9.1
  • PASSBOLT-1250 Contribution guidelines
  • PASSBOLT-1670 Run selenium tests on saucelabs

Fixed bugs

  • PASSBOLT-1700 Event names should stay backward compatible
  • PASSBOLT-1668 Remove GPGAuth debug count
  • PASSBOLT-1673 Restore avatars during quick install

Passbolt Firefox Plugin

Added improvements

  • PASSBOLT-1508 Upgrade firefox plugin OpenPGP.js to v2.2.0
  • PASSBOLT-1660 Refactoring to simplifying Chrome plugin development

Fixed Bugs

  • PASSBOLT-1698 GITHUB-2 A user should be able to download the generated key during setup
  • PASSBOLT-1668 GITHUB-16 /24 Refactor GPGAuth to ignore header capitalization issues
  • PASSBOLT-1700 Removing bower legacy and fixing licence in package.json
  • PASSBOLT-1700 Event names should stay backward compatible

How to upgrade to v1.2?

1. Take your site down: create a temporary webserver configuration to redirect all the requests to a maintenance page. You can find resources how to do this online: here is an example for apache .

2. Make a backup of your database: This is very important in case something goes wrong. You can do this using mysqldump, with for example:

$ mysqldump -u[user] -p[pass] db > /path/backup.sql

3. Get the latest release:

$ git fetch
$ git checkout v1.2.0

4. Run the migration script as follow:

~/passbolt$ ./app/Console/cake Migrations.migration run all
Cake Migration Shell
---------------------------------------------------------------
Running migrations:
[1474629203] 1474629203_Migration_1.2.0
[...]
---------------------------------------------------------------
All migrations have completed.

5. Put your site back online! Verify everything is ok using healthcheck: As an administrator (or as any user in debug mode) you can go and check on the /healthcheck page to see if your instance configuration is looking good.

Mr. Engineer, Don't you keep me waiting! You hear me? Telling you: Hurry, hurry, hurry, hurry!

No, it won't be long

Important bugfix note!

Please double check your file backup of your private key. There was an issue reported with keys created with version 1.1.0 and downloaded during setup. Private keys downloaded from the profile page were not affected.

Ref. PASSBOLT-1698 GITHUB-2

v1.1.0 ~ Celebration

Release date: August 8, 2016.

This release is mostly aiming at improving the stability and overall maintainability of the server side application. In terms of new features this release brings the ability to see the last login date of a given user and the ability to sort by the table columns for both password and user overviews.

We notably improved Mysql 5.7 compatibility. As reported on Github many of you had issues with Mysql5.7 running in strict mode by default. In order to provide a fix, we had to perform corrections on the data model, as some “not optional” rules were not followed. So if you are running 1.0 for your team already, you will need to follow the upgrade procedure outlined below.

In order to run passbolt on mysql5.7 you will still need to disable the sql_mode only_full_group_by as some of the queries used for handling permissions are not SQL99 compliant. We’ll try to address this in a future release. Let us know if you find more compatibility issues.

A big thank you for everyone who spent some much valuable time to test and report bugs: Nicolas, BastienLQ, Viktoria, Anogues and Imami.

How to upgrade from v1.0?

1. Take your site down: create a temporary webserver configuration to redirect all the requests to a maintenance page. You can find resources how to do this online: here is an example for apache .

2. Make a backup of your database: This is very important in case something goes wrong. You can do this using mysqldump, with for example:

$ mysqldump -u[user] -p[pass] db > /path/backup.sql

3. Get the latest release:

$ git fetch
$ git checkout v1.1.0

4. Review your configuration file: we’ve simplified the app.php configuration file and deprecated some of the items. It is best you have a look again at app.php.default and your app.php. Now you only need to put the differences between the default configuration (see. default.php) and your instance specifics (such as the server GPG key). For example something as short as would do:

<?php
$config = [
    'App' => [
        'registration' => [
            'public' => true,
        ],
    ],
    'GPG' => [
        'env' => [
            'setenv' => true,
            'home' => '/usr/share/httpd/.gnupg'
        ],
        'serverKey' => [
            'fingerprint' => '2FC8945833C51946E937F9FED47B0811573EE67D',
            'public' => APP . 'Config' . DS . 'gpg' . DS . 'public.key',
            'private' => APP . 'Config' . DS . 'gpg' . DS . 'private.key',

        ]
    ]
];

4. Run the migration script as follow:

~/passbolt$ ./app/Console/cake Migrations.migration run all
Cake Migration Shell
---------------------------------------------------------------
Running migrations:
[1465367816] 1465367816_Migration_1.1.0
> Dropping index "username" from table "users".
[...]
---------------------------------------------------------------
All migrations have completed.

6. Put your site back online! Verify everything is ok using healthcheck: As an administrator (or as any user in debug mode) you can go and check on the /healthcheck page to see if your instance configuration is looking good.

(Optional) If you run into some issues:

  • Make a copy of the errors messages
  • Checkout the v1.0.14 version using git
  • Drop the database and load your backup data to restore to a previously working version.
  • Send us an email with the details of the error or fill in a bug report using github, using as much details as possible such as your OS, php, mysql environment versions.

Passbolt API

Added improvements

  • PASSBOLT-1124: As LU on user workspace I should be able to see the last logged in date of a user.
  • PASSBOLT-1216: As LU I should be able to sort the table view in passwords workspace
  • PASSBOLT-1217: As LU I should be able to sort the table view in users workspace
  • PASSBOLT-1633: Travis and Coveralls integration.
  • PASSBOLT-1597: Implemented schema versioning and migration tool.

Fixed bugs

  • PASSBOLT-1620: Duplicate records shown when selecting records and using filters
  • PASSBOLT-1652: As LU I cannot use passbolt with public key bigger than 4096 bits
  • PASSBOLT-1604: As a AD I should be able to see the healthcheck page when debug is set to 0
  • PASSBOLT-1525: Misc unit test code coverage & phpcs cleanup
  • PASSBOLT-1653: After migration, Gpgkey.uid should be sanitized in DB.
  • PASSBOLT-1634: Authentication logs are moved in each authentication stage.
  • PASSBOLT-1383: Cleanup cakephp config & prevent future regressions like PASSBOLT-1621 with a default.
  • PASSBOLT-1535: Fix mysql 5.7 schema issues and improve compatibility.
  • PASSBOLT-1621: Missing config item 'tokenExpiracy' breaks forward compatibility
  • PASSBOLT-1486: After deleting a user, I should be able to recreate a user with the same username.
  • PASSBOLT-1643: Selenium tests coverage when passbolt tab is closed and restored
  • PASSBOLT-1642: Selenium tests coverage when browser is restarted

Passbolt Firefox Plugin

Fixed

  • PASSBOLT-1432: Passbolt.app pagemod shouldn't start if user is not logged in

“My mother told me when she heard it, You're gonna play this song for the rest of your life - so get ready!”.

v1.0.14 ~ More Bounce To The Ounce

Release date: July 11, 2016.

A mini-release to fix a regression introduced by v1.0.13.

Passbolt API

Fixed bugs

  • PASSBOLT-1616: Fixed bad merge during the previous release.
  • PASSBOLT-1599: GITHUB-10 passbolt.js requesting wrong path for config.json.

v1.0.13 ~ Just The Way You Are

Release date: July 1, 2016.

This release introduces the possibility to recover an account and install passbolt on multiple devices. This feature will be useful when you want to reuse an existing passbolt account on another machine (on both your home and work machines for example) or if you have reinstalled your browser or operating system. Of course this will only work if you have made a backup of your secret key.

Account recovery fig. Account recovery

Another nice to have addition to the user interface is the ability to filter the list of passwords and users directly as you type. We also fixed a few bugs!

Passbolt API

Added improvements

  • PASSBOLT-1077: As a LU searching for a password (or a user) search results should filter as I type.
  • PASSBOLT-1588: As AN it should be possible to recover a passbolt account on a new device.

Fixed bugs

  • PASSBOLT-1605: Set::extract to Hash::extract refactoring regression.
  • PASSBOLT-1601: ControllerLog Model should support IVP6 addresses.
  • PASSBOLT-1366: Worker bug when multiple passbolt instances are open in multiple windows.
  • PASSBOLT-1590: Styleguide bump to v1.0.38.
  • PASSBOLT-1613: As a user losing access to a password I selected, I shouldn't encounter an error.
  • PASSBOLT-1569: Cleanup: remove SetupController::ping.

Passbolt Firefox Plugin

Added improvements

  • PASSBOLT-1588: As AN it should be possible to recover a passbolt account on a new device.

Fixed bugs

  • PASSBOLT-1366: Worker bug when multiple passbolt instances are open in multiple windows

"You're not the only one who's made mistakes, but they're the only things that you can truly call your own."

v1.0.12 ~ Brick House

Release date: May 31, 2016.

This release brings an interesting new feature: the possibility to see the list of the users a password is shared with at a glance, directly from the sidebar.

Email notification fig. permissions being displayed in the sidebar

v1.0.12 also comes with its fair share of bug fixes, and some UI improvements. As usual, we have also worked on increasing the coverage, mostly for the selenium tests.

Big thanks to the German DJ Holger Hecler for making our heads move while coding!

Passbolt API

Added improvements

  • PASSBOLT-1572: As LU, I should be able to see which users a password is shared with directly from the sidebar.
  • PASSBOLT-1407: As a LU there is no visual feedback when I upload a picture and that the process is in progress.

Fixed bugs

  • PASSBOLT-1439: Email is sent as anonymous when a user is created from the console.
  • PASSBOLT-1509: As LU, when a password is shared with me in read only, I should not see the delete menu available in more.
  • PASSBOLT-1579: Segfault at the end of setup when trying to display login form.
  • PASSBOLT-1576: Fixed Hash component warning message in EmailQueue.
  • PASSBOLT-1322: Insertion of comments in unittest dataset display an error in the console.
  • PASSBOLT-1234: Authentication token used for account registration expiracy check.

Passbolt Firefox Plugin

Added improvements

  • PASSBOLT-959: Plugin version number should be in the footer.
  • PASSBOLT-1488: As AP, I shouldn't be able to complete the setup if I import a key that already exist on server.

Fixed bugs

  • PASSBOLT-1255: Button height issues + missing tooltip on setup.

"When your past calls, don't answer. It has nothing new to say."

v1.0.11 ~ Soul Makossa

Release date: May 16, 2016.

This release brings some new email notifications. Until now you could only receive a notification when someone was sharing a password with you. With this new set of features you will also receive a nudge when someone comment, edit or delete a password that you own (or that is shared with you).

Email notification fig. example of new email notification

Another interesting new feature that was requested by quite a few of you is a "remember for 5 minutes" checkbox on the passphrase / master password dialog. To be used with care!

Email notification fig. remember me!

On the nerdy side we also squashed some annoying bugs on the plugin side, tidied up the code with PHPCS and gave the API documentation a head-start. If you are running your own instance, you can checkout /api/doc.json (available in debug mode) to get access to a Swagger compatible documentation file.

This week round of thank you goes to Madalina Preda and Shruti Ravindran who are helping us get our first press releases out of the door.

Passbolt API

Added improvements

  • PASSBOLT-1388: As a user I should receive an email notification when a password is updated.
  • PASSBOLT-1389: As a user I should receive an email notification when a password is created.
  • PASSBOLT-1390: As a user I should receive an email notification when a password is deleted.
  • PASSBOLT-1544: As a user I should receive an email notification when someone comments on a password.
  • PASSBOLT-1221: API documentation with Swagger (Part I: models).

Fixed bugs

  • PASSBOLT-1094: Frontend: Server errors happening during a request should give a visual feedback.
  • PASSBOLT-1438: Retry button is not working at setup first step (when user doesn't have the plugin installed).
  • PASSBOLT-1564: As a sysop, installing passbolt with quiet mode should not output any information.
  • PASSBOLT-1434: Wordsmithing: rename master password to passphrase.
  • PASSBOLT-1274: Fix PHPCS errors for models

Passbolt Firefox Plugin

Added improvements

  • PASSBOLT-1108: As LU when entering my master key I can have the plugin remember it for 5 min.

Fixed bugs

  • PASSBOLT-1494: After two consecutive setup, the plugin stops working and doesn't start anymore.

"Wanna Be Startin' Something"

v1.0.10 ~ Sittin' on the dock of the bay

Release date: May 3, 2016.

This release most notable improvement is a health-check page that can help administrators diagnose what is the status of their installation. This week we are still ironing out a few bugs and environment related issues.

A big thank you to Alexis Vachette and Ebrahim Imami who are helping us with these, and all of you who sent us bug reports and suggestions!

Passbolt Functional Overview fig. example /healthcheck screen

Passbolt API

Added improvements

  • PASSBOLT-1419: Cleanup config.json for js client and remove useless config.
  • PASSBOLT-1514: By default passbolt app should not be indexed by search engines.
  • PASSBOLT-1474: API: Upgrade cakephp to 2.8.3.
  • PASSBOLT-1288: As an AD during install I should have status page to help me.

Fixed bugs

  • PASSBOLT-1502: String is depracated in Cakephp since version 2.7 use CakeText instead.
  • PASSBOLT-1466: GET /auth/verify.json Content-Type should not be text/html but JSON.
  • PASSBOLT-1443: Copy to clipboard icon is misleading

Passbolt Firefox Add-on

Added improvements

  • PASSBOLT-1316: As a AP trying to register again, I should sbe informed that the plugin is already configured.

"I can't do what ten people tell me to do
So I guess I'll remain the same"

v1.0.9 ~ Let's stay together

Release date: April 25, 2016.

This release was mainly about bug fixes. Also, thanks to an article in the awesome magazine LinuxFR, and people trying to install passbolt on their own machine, we published a new page containing the installation instructions.

Passbolt API

Added improvements

  • PASSBOLT-1495: Update installation instructions in README file.

Fixed bugs

  • PASSBOLT-1505: As AP, I should not get an error during setup if my key has been generated on a system that is not exactly on time.

Passbolt Firefox Add-on

Added improvements

  • PASSBOLT-1456: When generating a password automatically it only generates a "fair" level password.

Fixed bugs

  • PASSBOLT-1457: As LU, I should not be able to create a resource without password.
  • PASSBOLT-1441: Wordsmithing: a parenthesis is missing on set a security token step.
  • PASSBOLT-1158: Remove all errors (plugin/client) from the browser console at passbolt start.

"The music is the message, the message is the music."

Let's stay together

v1.0.8 ~ Lovely Day

Release date: April 15, 2016.

This is a small release, as we are busy collecting feedbacks from all of our early users. Thanks for all the positive vibes!

Passbolt API

Fixed bugs

  • PASSBOLT-1445: As a LU viewing someone else comment I should not see the delete comment button.
  • PASSBOLT-1402: As LU, In the comment thread I should not see a hyperlink on people's name that leads to nowhere.

Passbolt Firefox Add-on

Fixed bugs

  • PASSBOLT-1408: As a LU I should see the email addresses of the people I'm sharing a password with.

"When I wake up in the morning and the sunlight hurts my eyes and something without warning bears heavy on my mind"

Then I look at you

v1.0.7 ~ Ring My Bell

Release date: April 5, 2016.

This week we rolled out a new homepage as you may have noticed. We also revamped the password workspace when no password are present. The nest illustration you can now see in place of the original void is a courtesy of our beloved Arthur Duarte. Check out his work on behance.

A big thank you to last week testers: Wout, Gerald, Yann and Diego! We are getting a lot of valuable feedback each week, please keep it coming!

Passbolt API

Added improvements

  • PASSBOLT-1223 Implemented state for empty password workspace
  • PASSBOLT-1450 Change information button icon. Eye becomes information.

Passbolt Firefox Add-on

Fixed bugs

  • PASSBOLT-1158: Cleanup: remove useless console.log() from the code.
  • PASSBOLT-1462: Remove spelling mistake on encrypting dialog title.

"The night is young and full of possibilities"

v1.0.6 ~ Boogie Wonderland

Release date: March 29, 2016.

Another release mostly focusing on bug fixes. Big shout out to our testers: Lilian, Nikki, Marcin and Vrindha!

The only major new functionality is the release of a first version of a slack plugin for passbolt. You can now track the signup in slack. Get in touch with us if you use slack and have some ideas on how you would like it to work in the future.

a screenshot of slack notification fig. an example of notification in slack

We decided not to make this feature available as part of the default passbolt API product since not everyone will make use of it. Instead it will be an extra plugin people can install on their won. We will make the code available once we have finished testing and documenting it.

Passbolt API

Added improvements

  • PASSBOLT-1343: A confirmation email link opened in chrome does not explain that passbolt works only in firefox.
  • PASSBOLT-1416: Improved test coverage: auth token should not be invalidated when validateAccount fails.
  • PASSBOLT-1444: Slack plugin for passbolt to keep track of passbolt signup registrations.

Fixed bugs

  • PASSBOLT-1395: Regression: As LU I should not be able to select two passwords.
  • PASSBOLT-1396: As LU I should not see a mix of two dashboards data if I click quickly on the users and passwords menu links.
  • PASSBOLT-1406: Space missing between first name and last name in registration email.

Passbolt Firefox Add-on

Added improvements

  • No new functional improvements.

Fixed bugs

  • PASSBOLT-1424: Cleanup: in Firefox addon remove URL_PLUBLIC_REGISTRATION.
  • PASSBOLT-1417: At the end of the setup, or in case of setup fatal error, setup data should be cleared.
  • PASSBOLT-1359: Setup should restart where it was left.

"It’s not music if you can’t dance to it."

v1.0.5 ~ Move On Up

Release date: March 22, 2016.

That's one small release for both the browser add-on and the API but a giant leap for the project. Passbolt officially in Private Alpha and the first testers are starting to give us feedback. A big thank you to our first testers: Karthik, Lilian, Amitav and Parbhjot!

It is also the first major version for the the API, we did so to make the plugin and the API share the same version numbers (Firefox addons can not start with number 0.x.x).

Passbolt API

Added improvements

  • PASSBOLT-1384: As a Sysops I should be able to register during installation.
  • PASSBOLT-1310: As a AP if my account is deleted I should get feedback on login.

Fixed bugs

  • PASSBOLT-1415: As a AP the 'Please register' links are broken.
  • PASSBOLT-1157: As a AP I should not see the application javascript on error pages.
  • PASSBOLT-1243: As a LU I should see an error when I try to upload an avatar with a wrong file type / size

Passbolt Firefox Add-on

Added improvements

  • PASSBOLT-1304: As a LU getting an Error500 when trying to authenticate I should see a retry button.
  • PASSBOLT-1310: As a previously registered user I should get an appropriate feedback on login if my account was deleted.

Fixed bugs

  • PASSBOLT-1377: As LU I should be able to login again if my session timed out.
  • PASSBOLT-1381: As LU I should not be able to share a password with a user who is registered but who has not completed his setup
  • PASSBOLT-1418: The App worker should be attached only on private pages.

"Bite your lip and take a trip"

Move on up!