Support initiating silent upgrades from the Update Check dialog
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
#2954 Support initiating silent upgrades from the Update Check dialog
Currently we can go into Help -> "Check for Updates" to see if a new version of KeePass is available and if so we can click the link in there to go to the KeePass website and download the newest version.
However, this is very inconvenient and raises the issues of ticket #2953 . Better would be if KeePass would support upgrades from within itself like webbrowser do e.g. when doing an update check within KeePass and a new version is found, the user can click a button to directly upgrade to this new version. This button would then download the new version in the background and if all is downloaded it starts a silent installation that upgrades the existing installation and once done the button offers to restart KeePass so that the last finishing/cleaning up steps can be done.
This has been discussed (a lot). Updates are always best left to the user with such important software, especially as the updates rarely contain security fixes.
cheers, Paul
There already are multiple related feature requests, thus I'm closing this one.
Best regards,
Dominik
There are already such feature requests? I have even searched before creating this one but the only ones I found were about automatic updates. And even Paul does wrongly assume I'm talking about automatic updates.
But this ticket requests an improvement for doing explicit user-initiated manual updates which is a big difference. Unless there are indeed already such feature requests but then I have to complain to Google for not finding them (but their search engine isn't really good anymore) and even more to SourceForge since as far as I recall their search engine was entirely broken the past years I always used it to search for tickets - the results were always very irrational and not logical, almost as if they threw just very random unreleated tickets at me that had absolutely nothing to do with what I typed in.
Last edit: Sworddragon 2025-11-07
The proposed UI may differ slightly, but the core idea and obstacle is the same: that KeePass downloads and installs (or initiates the install of) a new version instead of the user.
Best regards,
Dominik
I see, but what is the main issue here? The main change that is needed is that the installer supports silent installations if it doesn't already, which effectively pre-selects the last settings the user choosed within it (which it already does) and simply continues while not being visible. That might be even useful as a feature request on its own.
Other than that the main complexity comes from handling the network logic and handling the migration of the new installation but those are not too much complexity either.
And then the user checks manually for a new version and rather than following the link to the KeePass website they would simply click the button to upgrade now. It would do the download of the new installer, start a silent installation and then offer to restart. This isn't too much voodoo or is there a particular reason why this isn't possible?
It would be also pretty transparent to the user and simplify the upgrade process. Also it would eliminate some edge-cases security-wise since not relying on a third-party webbrowser makes this process more phising-prove (not risking that the unencrypted http-site is being opened or that upgrading from a decade old KeePass installation might now point to the wrong website controlled by somebody else, since when KeePass would do the upgrade process it can validate for this e.g. by checking for a signed installer).
Personally I'm fine if this feature request won't make it in but I'm really curious what the reason is why doing it this way should not be possible. And we already have 2025 where applications are already far overdue into making this a standard even. Some applications tried recently to catch up here like LibreOffice and Notepad++ with more or less success in their implementation.
Mainly webbrowsers did really stand out here in the past. On my Firefox installation I just go to its "About Firefox" dialog which checks then for a new version and if one is available I just click the button to download/install it and a second time to do the restart. The complete process takes only some seconds, is as easy as one could imagine and all is user-initiated as automatic updates (checks, downloads and installations) are disabled per policies.json .
Last edit: Sworddragon 2025-11-09
The main issue is security. While an automatic update may be convenient, it eliminates the final authorization and confirmation step made by a human. Elimination of this step creates the possibility of rapid dissemination of malicious software should a breach occur in the update process.
The current system is very deliberate. The user has multiple opportunities to verify that the KeePass is downloaded from a familiar source, and the user has the opportunity to manually verify the authenticity of download and check for viruses before installing.
Last edit: wellread1 2025-11-08
But your first paragraph does not apply here since the user always authorizes this action before a new version of KeePass is even downloaded. It would only be true if we would talk about true automatic updates (e.g. KeePass would do the checking, downloading and installing of updates periodically without user interaction) and not improving installing updates manually what this ticket requests.
And while your second paragraph is true in general it involves an issue (if we ignore the extra work): More manual steps from the user means the risk for mistakes increases which also gives malicious actors a better attack surface. Automating this in a secure manner would be the better option.
Apparently you are not aware of the recent cases where malicious software has been widely disseminated because updates from trusted sources was automatic.,
I'm very well aware of the threat from compromised upstream/downstream sources as well of some recent cases like some games on Steam.
But those have nothing to do with the feature requested here as apparently almost everybody is still wrongly assuming I'm requesting a feature to enable automatic updates.
But let's just go with your case and assume the KeePass repository would be compromised. Even in such a case the feature discussed here would not help infecting computer systems more than the current implementation already would since it makes no difference if the user starts a manual update within KeePass (the proposal here) or goes to the KeePass website and downloads the installer to start an update (the current implementation).
This procedure cuts out meaningful user verification steps, such as verifying the integrity of the downloaded file, or checking with virus total. The user only has the option to press yes or no. All steps after that are automatic. I know a guided update could address some these issues… just as manual update does.
Automatic update is not central to KeePass functionality, and it introduces a new attack surface the the developer has to maintain. KeePass usually remains at arms-length to non-core functionality. The developer's reason for not implementing this is clearly expressed above. While this may not satisfy everyone, it is the state of affairs for the foreseeable future.
Last edit: wellread1 2025-11-10