You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Having the TZ environment variable set to any valid timezone that is not exactly the same as your system will break TOTPs, setting this variable is done on purpose to override the timezone used by certain programs like Node.js, commonly TZ=UTC as it was in my case, but a TOTP program should not listen to this and use the true system time unconditionally, for reference Authy Desktop (from which I am migrating to KeepassXC from) worked correctly regardless of the TZ variable being set.
Steps to Reproduce
With KeepassXC closed, set the TZ environment variable to UTC (unless you actually live in the UTC timezone, then set it to anything else like Etc/GMT+5)
Launch KeepassXC
Notice your TOTPs are incorrect (try using one and it won't work)
Expected Behavior
Like Authy Desktop, KeepassXC should have ignored the TZ variable and still given correct TOTP codes.
Actual Behavior
KeepassXC is fooled by the TZ variable and gives wrong TOTP codes.
Windows stores the hardware system time as local time, not UTC. So setting TZ to anything other than your actual timezone is kind of expected to give the wrong results. We use Qt's QDateTime, which handles all that transparently. The only thing we could do is unset TZ before retrieving the time, but that would just shift the problem from time being wrong if TZ is wrong to time being wrong if TZ is correct (but different from system time).
TZ is not a variable that is normally set, Windows doesn't store its own timezone in use there, it is an override variable for power users to use, the majority 99% of users will not have it set to anything, and a lot of programs including Windows itself don't respect the variable, so a system with incorrect Windows time using TZ to "correct" it isn't even really possible, it would already be broken in a lot of other ways.
I reckon unsetting it for KeepassXC's env would be fine. At least if even despite all the above you still feel it'd risk breaking anything (but it wouldn't) could it be made a setting to ignore the variable or not?
Overview
Having the
TZ
environment variable set to any valid timezone that is not exactly the same as your system will break TOTPs, setting this variable is done on purpose to override the timezone used by certain programs like Node.js, commonlyTZ=UTC
as it was in my case, but a TOTP program should not listen to this and use the true system time unconditionally, for reference Authy Desktop (from which I am migrating to KeepassXC from) worked correctly regardless of the TZ variable being set.Steps to Reproduce
TZ
environment variable toUTC
(unless you actually live in the UTC timezone, then set it to anything else likeEtc/GMT+5
)Expected Behavior
Like Authy Desktop, KeepassXC should have ignored the TZ variable and still given correct TOTP codes.
Actual Behavior
KeepassXC is fooled by the TZ variable and gives wrong TOTP codes.
Context
Installed through Winget
KeePassXC - Version 2.7.8
Revision: f6757d3
Operating system: Windows 10 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.19045
The text was updated successfully, but these errors were encountered: