I just downloaded 1.9.9 and I did not have a key to verify the signature. Did I lose the key or the key change, with no announcement? If the key changed without signing it with the old key, that’s a serious security error. But maybe I just screwed something up on my end?
Seems to me the releaser has changed, I think you can find the gpg public key on bisq.wiki
It changed. Downloading and installing - Bisq Wiki
Twitter and release notes announce that change, but no, old key has not signed the new one, they’re different owners.
Looks like the wiki is missing some info, quote:
" which you can verify through commits on GitHub and ."
What’s in the box?!?!
Thanks, I’ve just fixed it. You could see ripcurlx key on keybase, but Bisq does not use Keybase anymore.
Yes, and different owners can sign each others’ keys. That is the proper procedure when changing a signing key. The former maintainer signs the new maintainer’s key.
It really does not help that it is in the release notes obviously, because anyone who could compromise the binary could compromise the release notes (they are in the same infrastructure).
This is really a basic verification process error here. Of course it does not mean there is a problem, but the point of using GPG is to ensure there is not one, and Bisq is not following the procedures that allow to verify this.
I just signed and published both new signer keys.
is the new pgp signing key and public key up in the download section? because i tried uploading the public key yesterday and it was the same one that i’ve had for years
Following your (updated?) link to verify the installer, the wiki states:
Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is E222AA02 and fingerprint is B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02, which you can verify through commits on GitHub.
However, the latest commits by user “alejandrogarcia83” on GitHub were signed with GPG key ID: 4AEE18F83AFDEB23; not »E222AA02«.
What am I missing?
bisq.network key has not been uploaded yet.
@till I’m asking why last commit’s key is different.
Copying the reply I got from Bisq 2 repo maintainer:
That’s normal. It’s GitHub’s PGP key. Look at the Bisq 2 repo commits (Commits · bisq-network/bisq2 · GitHub). When I merge PRs using the “GitHub UI” GitHub will sign the “merge commit”.
Thanks for taking care of it, @MnM !
Let me get this straight:
In the Bisq repository, I find commits from user “alejandrogarcia83” with two different signatures:
- his personal GPG signature: used when he does “classic” work (e.g. remote work using
- any GitHub GPG signature: used when he works via the GitHub WebGUI.
This is not obvious to me as a user (and thus possibly to others) without explanation and leads to confusion in key verification. Is there a better way to do this?
From the reply I got, it seems there is no better way to do it. If at least one of the keys signed commits, and the web gives you that key, seems enough.
But I understand it’s confusing. I’ll wait, though, to see if other people complains about this to see if something else is necessary.
There is a long-established way of handling exactly this sort of thing, and Bisq isn’t doing it. Why even use signing keys if you’re not going to use them in the proper way?
I actually forget the original situation here, but if there are two keys then each of those keys should have signed each other and uploaded the new keys to the keyserver so everyone can verify that each signer knows the other.
If there is a new key, all former signing keys need to sign the new key, and upload all to the keyservers.
Also, the website should expain this situation. It is not acceptable to have a website say one thing, but the actual keys say something different.
This is basic keysigning procedure. Like I said I don’t remember what this situation is but what I’ve just laid out is keysigning 101 and should cover most situations.
To skip this basic security function for a piece of software that uses Tor and handles private data should be a huge red flag for anyone considering using Bisq. We’re not talking about anything special here, just basic keysigning/validation rules.
see if other people complains about this
Reporting in! I suspect most downloaders don’t attempt to verify both the installer and the git repo. I did and had no problem with the installer. But I found this ticket after failing to verify a bisq commit. I saw “Can’t check signature: No public key”. Quite the heart-sinker.
It’s unclear to me what I’m suppose to do at this point. I hope this will be improved, please?
In your case, you are expected to download the new key. The problem is that the new key is not signed with the old key. It would take the devs about 45 seconds to do this, it’s standard procedure when dealing with multiple keys, it’s really basic basic security. There is no excuse for them to ignore it and if we’re being technically, this has all the tell-tale signs of a hack on the software, even though the other possibility is what I suspect that they just don’t care about the user base.
Hi @noremote! I already pushed the signed key to a public key server. I’ve attached the signed pub key here as well. I hope that solves your issue.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: CB36 D7D2 EBB2 E35D 9B75 500B CD5D C1C5 29CD FD3B
Comment: Christoph Atteneder email@example.com
-----END PGP PUBLIC KEY BLOCK-----