Keepassxc: HMAC Mismatch after updating from 2.4.3 to 2.5.0

I can confirm that the database is not corrupt. It is synchronized between my desktop and laptop. My laptop runs 2.4.3 and can still unlock the database successfully.

Updated the title as I was misreading the 3 for an 8.

My apologies.

Same here. Almost had a heart attack.
KeePass opens the database without any issue.

After removing the ~/.config/keepassxc directory and then starting keepassxc I could open my password database as normal, including only using Yubikey HMAC without a password set.

Yeah! That did the trick!

Thanks!

We changed the way we use different key components. Before, yiu had to check a box explicitly for each component, which caused a lot of confusion with users. Now whenever a field has a value, we use it. No more checkboxes. If you are using weird configurations like no password, key file only or YubiKey only, then you may run into trouble initially. Make sure only the required fields are filled (e.g. no key file selected if you don't have one). Resetting the config file is one way to ensure that, although it shouldn't be necessary (it would be enough to delete the entries about recently used key files and YubiKeys).

The fix is utterly simple, click the CLEAR button:

For those who don't see/have a clear button and use the Ubuntu Snap installation:

Removing the keepassxc directoy under ~/snap/keepassxc/current/.config worked for me (corresponding to the comment by @ged42).

I have the same symptom, and am running the Ubuntu snap installation - but neither the clear button in the key file nor deleting the ~/snap/keepassxc/current/.config directory was effective. I do not find a ~/.config/keepassxc directory, so I haven't deleted that.

I see three copies of my passwords.kdbx file in sub-directories of ~/snap/keepassxc/
current
590
550

I don't know the reasons for these directories, but I do know that prior to the deletion of ~/snap/keepassxc/current/.config, KeepassXC was looking (and failing to find) a file in "350" - which didn't and doesn't exist.

If there any hope of recovery? A prospect of downgrading Keepass XC?

Thanks for your time.

We didn't change anything regarding the parsing of kdbx files. Of course, you can try an AppImage of an older version, but I doubt it'll change anything if you entered the credentials correctly and (like it was the case in this report) didn't try to add a key file when you didn't have one.

Looks hopeless - I installed 2.4.3 on another machine, and tried to open the "current" copy of the .kdbx file; same results.

Is it normal to have three copies of this file? Any documentation that might help me figure out why KeepassXC wanted to see the file in a directory called "350"?

350 is just the version number that snap gives to the package. Every update increments the version number. You should always use the "current" directory which points to the folder of the currently installed version.

Thanks, droidmonkey.

Looks like all thee copies are corrupted - or I got the password wrong. Either way, all my secure access is gone forever. That's a disaster, but I can't necessarily blame KeePassXC for it; could be snap, could be Ubuntu, could be hardware or random perversity.

You should definitely take a moment and think about what may have caused the issue. Did you change your master password recently? Did you try to remove the ~/snap/keepassxc/current/.config/keepassxc.ini file? Are you using a different keyboard layout or language?

What happens if you transfer the corrupt file to a different computer and try to open it there?

I did not remove ~/snap/keepassxc/current/.config/keepassxc.ini until I removed all of ~/snap/keepassxc/current/.config as part of troubleshooting. I didn't change the master password, keyboard layout, or language.

I have tried the file on a windows box running 2.4.3 and gotten the same result.

In trying to trace events, I have a weak hypothesis -

I know that KeepPassXC was running and open when snap updated me to 2.5.0. It wasn't until some weeks later - the day of my first post to this thread - that I closed and re-opened KeePassXC to find the new version and that it couldn't find my database file - looking in the "350" directory, not "current".

I suspect that Snap couldn't do what it thought it should with an open file, and deleted the only good copy. I know that the Snap version directories are loop mounts, but I've no idea if there's anything I can do to investigate further, or if this is a totally harebrained notion,

It is my understanding that the new version number directory and loopback are not created until you launch the new version of the app. Merely installing the new version, or a new snap, does not introduce this structure in your home directory. Further, we do not leave the database file "open" when you are using KeePassXC. We only open the file upon reading or writing to the file (open and save).

Thanks phoerious. #3840 is much more apt for my symptoms - I'll start following it.

I checked at the solution but the ~/.config/ folder does not contain any keepass folder inside is there another location where I can find the folder in mac

at the end I had to remove de keepassxc.ini from ~/Library/Application Support/keepassxc opened the app again and it worked for me

How can i enable the YubiKey extension? it seems that keepassxc does not recognize it on my mbp

Please see #3329.

I have been getting the HMAC Mismatch error trying to open databases created by importing from a CSV file - using 2.5.2 (downgraded from 2.5.3-2 to avoid the loss of TouchID) under macOS 10.13.6. Interestingly the databases would also not open with Macpass. I have not (ever) used key files or Yubikey, just passwords, for the databases.
Removing keepassxc.ini from ~/Library/Application Support/keepassxc seems to have fixed the problem for creating new files, but the old imported files still give the error.
Hopefully, the fix will hold ...