This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+9 more
Affected surfaces
ReleasePort's take
Light signalThe GPG key used for release artifact verification has been changed to an isolated GitHub Actions key.
Why it matters: Operators must verify signatures with the new GPG key before trusting any artifacts; failure results in acceptance of unsigned or tampered releases.
Summary
AI summaryUpdates Other, https://xpipe.io/assets/images/BlogPage/rdp.png, and https://xpipe.io/assets/images/BlogPage/security-keys.png across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
GPG key for release signing changed to isolated GitHub Actions key. GPG key for release signing changed to isolated GitHub Actions key. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Security | Medium |
Switches new vault key generation to Argon2 for improved post‑quantum security. Switches new vault key generation to Argon2 for improved post‑quantum security. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Medium |
Adds new system for RDP (Windows) and VNC with tabbing, size locking, and dynamic resize support. Adds new system for RDP (Windows) and VNC with tabbing, size locking, and dynamic resize support. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Adds full SSH certificate authentication with automatic TTL checks and renewal integrations (Vault, OpenBao). Adds full SSH certificate authentication with automatic TTL checks and renewal integrations (Vault, OpenBao). Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Adds HTTP and SOCKS5 proxy support for SSH connections, git sync, and XPipe itself. Adds HTTP and SOCKS5 proxy support for SSH connections, git sync, and XPipe itself. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Medium |
Improves SSH hardware security key support with selectable PKCS#11 implementations and automatic agent selection. Improves SSH hardware security key support with selectable PKCS#11 implementations and automatic agent selection. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Feature | Low |
Docker and Podman containers now default to bash if available instead of sh. Docker and Podman containers now default to bash if available instead of sh. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds OpenBao support as a password manager. Adds OpenBao support as a password manager. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds dialogs explaining incompatible identity sync options on first use. Adds dialogs explaining incompatible identity sync options on first use. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Introduces option to set default gateway for a category. Introduces option to set default gateway for a category. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Enables IP resolution to DNS names during network scans. Enables IP resolution to DNS names during network scans. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds central API server mode for Webtop to handle vault updates via API. Adds central API server mode for Webtop to handle vault updates via API. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Supports KRDC as an RDP/VNC client option. Supports KRDC as an RDP/VNC client option. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
SFTP connections now auto‑adjust file system root when only a subdirectory is accessible. SFTP connections now auto‑adjust file system root when only a subdirectory is accessible. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Limits explicit display scale to multiples of 25% to avoid rendering issues. Limits explicit display scale to multiples of 25% to avoid rendering issues. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds synchronization for concurrent FIDO2 SSH connections to prevent key request failures. Adds synchronization for concurrent FIDO2 SSH connections to prevent key request failures. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Provides option to automatically exit background shell sessions after inactivity. Provides option to automatically exit background shell sessions after inactivity. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds move and delete actions for batch selections in file browser. Adds move and delete actions for batch selections in file browser. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Feature | Low |
Adds compress/uncompress menu entries for .gz files in file browser. Adds compress/uncompress menu entries for .gz files in file browser. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Performance | Low |
Improves port handling allowing multiple XPipe instances on the same system when run by different users. Improves port handling allowing multiple XPipe instances on the same system when run by different users. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Performance | Low |
Optimizes PowerShell profile execution to prevent multiple runs. Optimizes PowerShell profile execution to prevent multiple runs. Source: granite4.1:30b@2026-05-23-audit Confidence: high |
— |
| Bugfix | Medium |
Fixes vault user password change not properly re‑encrypting secrets, making them unreadable. Fixes vault user password change not properly re‑encrypting secrets, making them unreadable. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixes various SSH key passphrase reset issues that required a restart. Fixes various SSH key passphrase reset issues that required a restart. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixes sftp and VSCode browser actions failing to open in certain shell environments. Fixes sftp and VSCode browser actions failing to open in certain shell environments. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixes system‑wide VSCode detection failure on Windows. Fixes system‑wide VSCode detection failure on Windows. Source: llm_adapter@2026-05-23 Confidence: high |
— |
| Bugfix | Medium |
Fixes macOS terminal focus issues that sometimes targeted the wrong window. Fixes macOS terminal focus issues that sometimes targeted the wrong window. Source: llm_adapter@2026-05-23 Confidence: low |
— |
Full changelog
Note on updating
To increase security, the GPG key used to sign releases has been changed to a new completely isolated one that is only available to the GitHub actions pipeline. It is no longer a personal GPG key. If you installed XPipe via a package manager like apt, dnf, or yum, you will have to update the GPG key for the repository.
You can run the managed installation instructions for apt/rpm again to update the repofile and GPG keys: https://docs.xpipe.io/guide/managed-installation#linux
RDP + VNC
There is now a new system for RDP (on Windows) and VNC connections. They are now opened in a separate window with a built-in tabbing system:
This implementation does its best at working around the limitations of mstsc to provide a smooth experience. It comes with a tabbing and size locking system to allow you to open RDP sessions with the preferred size every time. VNC sessions will open in the same tabbed window and now support dynamic desktop resize operations at runtime.
SSH security keys
The support for hardware security keys and smart cards for SSH has been improved. You can now select a PKCS#11 implementation for PIV out of multiple supported ones like ykcs for Yubikeys, OpenSC, macOS keychain, and more. Furthermore, the automatic key selector from agents has been ported to also support security keys:
SSH certificates
This releases introduces full support for SSH certificate authentication:
This feature includes an automatic validity check for the certificate TTL and supports short-lived certificates via various integrations to automatically renew your certificate. This currently includes Hashicorp Vault, OpenBao, and the ability to specify custom renewal commands:
This feature is available in the Professional plan, but is also available for free for a few weeks after release.
HTTP + SOCKS5 Proxies
You can now add HTTP and SOCKS5 proxy connections in XPipe. These proxies can then be used for things like SSH connections, git sync, and more:
You can also configure the proxy to be used by XPipe itself:
Towards more ease of use
Another focus of this update was to iron out some ease-of-use issues where certain elements were confusing, not well explained, or not visible enough.
This release includes a lot of small changes to change certain item descriptions, show explanatory dialogs on first use of certain features, and more.
Other
- Docker and podman containers now automatically select bash if available instead of sh
- Add support for OpenBao as a password manager
- Add dialogs when setting incompatible identity sync options to better explain synced vaults and identities
- Add option to set default gateway for a category
- Add support to resolve IPs to DNS names in network scan
- Add option for webtop to run it as a central API server to handle vault updates via the API
- Add support for KRDC as an RDP/VNC client
- SFTP connections will now automatically adjust the file system root if only a subdirectory is accessible
- Make explicit display scale value only accept multiples of 25% to prevent display issues
- Add synchronization when multiple FIDO2 SSH connections are started to prevent failures caused by concurrent security key requests
- Switch vault key generation for new vaults to argon2 for improved post quantum security of the vault
- Add option to automatically exit background shell sessions after an inactivity period
- Add move and delete actions for batch selections
- Improve port handling when multiple users run XPipe on the same system.
You can now run multiple instances of XPipe on a system as long as they are run by different users - Add compress/uncompress menu entry for .gz files in file browser
- Improve PowerShell profile execution to not execute multiple times
Fixes
- Fix various issues with fish shell systems
- Fix various sync issues with plain directory vault sync
- Fix wrong SSH key passphrases not being reset, requiring a restart
- Fix issues with gpg signing and more when sync mode was not set to instant
- Fix vault user password change not properly reencrypting secrets, making them not readable
- Fix sftp and vscode browser actions not opening for shell environments correctly
- Fix browser navbar not aligning properly when the window width is constrained
- Fix browser navbar display issues when a custom display scale was set
- Fix vault user passphrase change dialog lagging
- Fix application restart not working properly in bourne shell
- Fix terminal dock tracking not working correctly if another terminal window was already open before
- Fix manual sync for local dir always pulling on startup
- Fix terminal split pane open being slow
- Fix system-wide vscode installations not being detected on Windows
- Fix macOS focus for terminals sometimes focusing the wrong window
Downloads
You can find all downloadable artifacts below attached to this release. For installation instructions, see the installation guide.
All artifacts are signed by Christopher Schnick (BBDA 885A DD3E 0AD0)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]