New Signing Key?

I just downloaded 1.9.9 and I did not have a key to verify the signature. Did I lose the key or the key change, with no announcement? If the key changed without signing it with the old key, that’s a serious security error. But maybe I just screwed something up on my end?

Seems to me the releaser has changed, I think you can find the gpg public key on bisq.wiki

1 Like

It changed. Downloading and installing - Bisq Wiki
Twitter and release notes announce that change, but no, old key has not signed the new one, they’re different owners.

Looks like the wiki is missing some info, quote:
" which you can verify through commits on GitHub and []."

What’s in the box?!?!

Thanks, I’ve just fixed it. You could see ripcurlx key on keybase, but Bisq does not use Keybase anymore.

Yes, and different owners can sign each others’ keys. That is the proper procedure when changing a signing key. The former maintainer signs the new maintainer’s key.

It really does not help that it is in the release notes obviously, because anyone who could compromise the binary could compromise the release notes (they are in the same infrastructure).

This is really a basic verification process error here. Of course it does not mean there is a problem, but the point of using GPG is to ensure there is not one, and Bisq is not following the procedures that allow to verify this.

1 Like

I just signed and published both new signer keys.

1 Like

is the new pgp signing key and public key up in the download section? because i tried uploading the public key yesterday and it was the same one that i’ve had for years

Hey there!

Following your (updated?) link to verify the installer, the wiki states:

Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is E222AA02 and fingerprint is B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02, which you can verify through commits on GitHub.

However, the latest commits by user “alejandrogarcia83” on GitHub were signed with GPG key ID: 4AEE18F83AFDEB23; not »E222AA02«.

What am I missing?

2 Likes

bisq.network key has not been uploaded yet.

@till I’m asking why last commit’s key is different.

1 Like

Copying the reply I got from Bisq 2 repo maintainer:

That’s normal. It’s GitHub’s PGP key. Look at the Bisq 2 repo commits (Commits · bisq-network/bisq2 · GitHub). When I merge PRs using the “GitHub UI” GitHub will sign the “merge commit”.

Thanks for taking care of it, @MnM !

Let me get this straight:

In the Bisq repository, I find commits from user “alejandrogarcia83” with two different signatures:

  1. his personal GPG signature: used when he does “classic” work (e.g. remote work using git push)
  2. any GitHub GPG signature: used when he works via the GitHub WebGUI.

This is not obvious to me as a user (and thus possibly to others) without explanation and leads to confusion in key verification. Is there a better way to do this?

1 Like

From the reply I got, it seems there is no better way to do it. If at least one of the keys signed commits, and the web gives you that key, seems enough.
But I understand it’s confusing. I’ll wait, though, to see if other people complains about this to see if something else is necessary.

1 Like

There is a long-established way of handling exactly this sort of thing, and Bisq isn’t doing it. Why even use signing keys if you’re not going to use them in the proper way?

I actually forget the original situation here, but if there are two keys then each of those keys should have signed each other and uploaded the new keys to the keyserver so everyone can verify that each signer knows the other.

If there is a new key, all former signing keys need to sign the new key, and upload all to the keyservers.

Also, the website should expain this situation. It is not acceptable to have a website say one thing, but the actual keys say something different.

This is basic keysigning procedure. Like I said I don’t remember what this situation is but what I’ve just laid out is keysigning 101 and should cover most situations.

To skip this basic security function for a piece of software that uses Tor and handles private data should be a huge red flag for anyone considering using Bisq. We’re not talking about anything special here, just basic keysigning/validation rules.

1 Like

see if other people complains about this

Reporting in! I suspect most downloaders don’t attempt to verify both the installer and the git repo. I did and had no problem with the installer. But I found this ticket after failing to verify a bisq commit. I saw “Can’t check signature: No public key”. Quite the heart-sinker.

It’s unclear to me what I’m suppose to do at this point. I hope this will be improved, please?

1 Like

In your case, you are expected to download the new key. The problem is that the new key is not signed with the old key. It would take the devs about 45 seconds to do this, it’s standard procedure when dealing with multiple keys, it’s really basic basic security. There is no excuse for them to ignore it and if we’re being technically, this has all the tell-tale signs of a hack on the software, even though the other possibility is what I suspect that they just don’t care about the user base.

Hi @noremote! I already pushed the signed key to a public key server. I’ve attached the signed pub key here as well. I hope that solves your issue.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: CB36 D7D2 EBB2 E35D 9B75 500B CD5D C1C5 29CD FD3B
Comment: Christoph Atteneder christoph.atteneder@gmail.com

xsFNBFl5pBEBEACmse+BgUYi+WLTHR4xDwFE5LyEIT3a5t+lGolO3cVkfw5RI+7g
FEpxXzWontiLxDdDi34nr1zXOIEjSgQ7HzdtnFiTRN4tIENCBul4YiCOiyBi5ofN
ejAHqmeiO0KsDBQZBdyiK1iWi6yNbpG/rARwHu/Rx5ouT1YX1hV92Qh1bnU+4j4O
FcePQRNl+4q/SrtKdm047Ikr/LBvy/WYBYe9BcQGhbHI4DrUOSnIuI/Zq7xLF8QS
U/an/d0ftbSBZNX3anDiZjzSmR16seRQtvRO6mehWFNlgLMOGgFeJzPkByTd1TlV
K/KaHKQ71FNkRiP87pwkHZI5zJPAQfve+KmYPwOyETUaX43XOuixqutUV6Lrd0ng
bKe6q4nZDOWi5a4I3+hkrfzaGOKm9TlZoEmpJHh6pa5ULoDnEpKCg5Dgn3NGwokw
57sDAC2mtf41/uSkR20ALN1q4iOLXiHn+T6Z+Uq7aL3OcKGcBu4xC6Jfofmmdfdd
QxEEaeHvAI9ETlKy3tsMhEs5XD6m90rCKLnb97Y8eT/xJL4/oDsxI0o7qICz1nFS
2IhV8xULZ2533vNQPMEbSLoTzgz1OEPYwI1b+YJDFlp1y0XRiEtDZiAFfgsJY7UE
DizfuUFsK5LOkw2+NVmLphDVrDW1MXbhX1xspZDmBG9giE08sPtHj/EZHwARAQAB
zTNDaHJpc3RvcGggQXR0ZW5lZGVyIDxjaHJpc3RvcGguYXR0ZW5lZGVyQGdtYWls
LmNvbT7CwZQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTLNtfS
67LjXZt1UAvNXcHFKc39OwUCYORPLgUJCy0SHAAKCRDNXcHFKc39O1MkD/95Qi1T
aBRhARPnxZgFWMfBIAtKyCC2AFMx28V+AQpAmWR/Stm+qGCAfV4HFTmekATzR4X4
L7E35AJxOHyhmLiEXZGw9jULRGhg2TqIJlDLClh+D2QxRcKcRnRcjNGV1tiBOKCP
M8KUytwMdEb7PLnQRBl2BV183g1LJ9OlLgSgPgk7sJjLLM6qobxJ3o6hpuKTW5X0
pS8qiFjQlv9AOYEllcBBWKzKgUUqKrCaxruIG761fQC4Fwx+FWB+Je48xM6nm8Vh
n4oyuC0+Gu8sglI/d/RI8e+gpMk5obWEAXDn5PFSsKaJnOW38ft0Qvq/3Ukg4AS0
3lXF9LXWxuv6e0gIlpt6HRW7L3pYVyqROVuGcgUWGf9tajjoAqtHHq5a467uj6bp
SfWC0bxUXrr4+x0/yROeq07yw8h9bUi9ygS+kvKYVrgjGQVIY3TvmY9UJD65L733
lb2DvllX+Dzxyt9aV/6F9i2lajOKonmLJmbZ25W6W7wrR+hnmuDNqZmPthjynh9z
3IEYNicFhAlX8lZaGEu50M/MrK85H8L/xBWqXzHFbaCS6jvZOabC8LaEjrR98WrZ
IBzVdoS4JlbwbeN4W3H4zOl7ITNPul1Xb7sbnOi33vn6HxW7vp0ArTIw7ldad456
zEdLbtUUmAEsS7dXIajCau0klhdqGHD9VXoRK8LBlAQTAQoAJwUCWXmkEQIbAwUJ
B4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAhCRDNXcHFKc39OxYhBMs219Lr
suNdm3VQC81dwcUpzf07OOoP/iiS9zOgX6/SvZrjYxHgOsgUuR5mdrQSSNz4haSQ
uTATuR/t7pCPJ8s2IpdyYRKgnE1LKQRm25Km8G0kLktfVWARx8YUgJ+wfzBxQhZ5
WyhM0t3B8qfeZRjyyf8uRV150sXZQtRFxXLkox1kdu3AlBrh/tXYrsodnmaE+Xzd
u4OQeXo9BMV6AqfCeDLTIXB14xsuyor9Am3GPL2BGG6neRrDL5O1GSGvr1kzMyRN
X6eprBX1Bcx12EYTv0yovIkbVWlFHGjh8+5G9tunJFZ8yDtwo7BoO8tfQWGlnwuk
cNF6j3wn+z6CY4UcWwv/WVro8v6ZGjrTgaKviGRApIh7ClHGYDXVO8TMghNGuYzr
ya8yp2ujBCz3M08nlqmby9HSjYZZcOViSIc3+ZnBajm9TpTY1sQtQZznjZOdX/hQ
7Y8Tsqej+7i9HT8u4+EwO2h4EDSstlL8d/hLvRByi9k9+cVz75mtWVcm0JTASs+6
240yIik3+S6k7RchOCseiEtva8oMiT8c/Na+KW46BlCMS54cS/ui8MQj8Jm5CHxU
Q/oJPDg5oYGPeOw+lQTz66x+FPWIlCWe9fG97QiaLmyz6xlH2xZSmhgZaCvi3dLp
SRma0FsYit8tSjtQBfJNYHvbrSaMCwKvK2TlHUj2/3I6NzrLKaiUfTkEFzTtJ+li
92P2zsFNBFl5pBEBEADLdOm3qGHv75gFkfdcuQVCLtczZkD9jTQGdSYdSt6u2gFR
GpslZnReItiVRe3050Rlg4ioIxdn/SiQNpgvb+hCupeyiv+6EHxYMpqZLvIUi47a
f01iGWdQ/c9ehnaplmkRnTJKpo3+1qctugOUwrFGxr59bZvT/D8ajX4Ar9wmqRYT
3IiuKP3uIF2O7VG2DAuuQ5qtzqCVlswBqng5mx+FOQXKGQZPkhcpJxf+TVhrsxNM
pek0ZIBIc53sgXGldW5klXFgaTaM6MmQuPSYIK8BSRMXeUEBNOolm8fjpFh2LTmy
UikHd5YgtRHABcyNAaGUOWRPFaE16VUF0HLGLW1io+QUXohCKL4t//gpo8VBUjO3
43npUcFVnodPxZw+ysReS7IVA5a3PySEcSPUWGXG4aFwdVDHP+Ul+QE9PmvOqRms
u8hNCUBrWqdR4ucn9cgzCa9YvPbtS3yl2x29ozDs8og2EdpGjztCA6QyepIz3HxQ
HDbfxaScOVN5gSsvLR5SDKBXf+YUxQX/T564925l8dnUndWN5erEI4XHkiAC0CPe
UH12Oe2tOJh1ETvwgscMy5SniNUKe80/U4le6AcfObmNlba8T3T5jxxdMvRZ4StT
6tlQDed1hxivTBLsiFf1cXmze8NrQ4VYvUiNlJnRrg3ay5QgYU9FHgmLdoxcRQAR
AQABwsF8BBgBCgAmAhsMFiEEyzbX0uuy412bdVALzV3BxSnN/TsFAmDkTy8FCQst
Eh4ACgkQzV3BxSnN/TsByw//a2+f7tQHVA/RrOCzwen1W0aWf3Fwscbg1kmNk8qz
qtRE677wJt1sktPXEmuhY+wRDa9x07O+3hBYfQDv6sLFx4HDU2d0Lfthgirj6eFu
xQn9OTHIek24qpP6lAtfzvSGMV4EkJWUakqh6BisBPbbniGDzucs/5HkbSP4jvX4
Nh3vV8+8t6LvlSL0zrTat11zAVtwbLlDNWnmv0xrIDfcOdeN/j0LkALFY7UkKxwW
MXaOnpBk4RMRCmlVw9mTH36dxAVRo2t15crVGdBydH85UsNXb2r+FErZyHwbGWEw
WXXx2TCz5F4MS9A0GpatWxZskAo+BrLlAdktzIXQQpjQi1mZ1BfYk6IGJvTa6OSc
pQTjyT08QZHCPww/YnwYFFUwhp7/pMDGGZh9XISaPueiJNPERw7DVEYZysIoxp+W
r1jYzGFxaQfaAtZsQiCj+7F73eAF6kUyY0m2+Enp+hjZl9njDT+hBaZTTN1wetr3
bG2R2CDa+fnqShyYmY+HPAWXkJNaX2K8jvTQw+iljSM4D3G5TOCnXwmqiO3dT+MM
e/QG5g+n9ZM5jbbADyX8d2emXRy/rR7a6GijT479BGeZyY0EWcrVaF4ZrXdLYkLj
dVyaegYABm8PiBUnt9lSDx2WqwwoUemutxAIKmrggT84FAbfX1OMAw9ZTggYyNSR
vmnCwXwEGAEKAA8FAll5pBECGwwFCQeGH4AAIQkQzV3BxSnN/TsWIQTLNtfS67Lj
XZt1UAvNXcHFKc39OxuRD/92yDV+/NhkO/3z1T91y9kdZ1AeGNHPX5jahKZHOxpv
6VsIx32du0drgI2NzlTEWtmy3zft8G9Q+uV00UID3hQ4QQ5FFQme0t1weE2c8r6k
GQvMtxBu3DD2cP3gHqGp0s0PmJaGcq4jsFcWDy7Mfd9GsSHE0HJ9e/VTKr1qiWxu
9GN8Wwvuf/7TZoq4HMg7lVsV503RpnnaYDVqigMoPr2SmkFZez6zE+QeSkJ7ElSS
vd6SOwfyOTXQ696vwM2PxA3iKLYjf/GxEIK+u9wo1+bgtHj0on7lhRSQ6jXFZLA7
NYdX2WmfZpswSqoiqe5u8Q1yU2KohsTq+QBogvK5uKWDFNVtzpKe1RqtQ7/n2PZr
Rz6kOceAsHv31ueHSYCZdcJU7dnXgalofXmJpQKBGDHH24/6VAiPou2s86xzlvkn
pUuB3FCUNd6Mp709ozr5qC0gGZsjbi3fqWOZGuFrZAf3QyHIM+sn9TpyH+KWBNM1
FZt9OwAtHHM2ace+PRjnkix1iDdubvVBP33H2Q26jOjsjgysYSVL70/DLfWVxjXs
5LL8rXCqksJbV7FzhLAlGwAiY1ZAs1zAzHV8gGE+LK6FFWyOgIR1rms741gXxTy7
9SteLE1ewcYGBrKdY7+sj0oWDR81h44bxeebgLG5apS7QUMy/oGGQwJPPZfjFydu
0g==
=bAg3
-----END PGP PUBLIC KEY BLOCK-----

Best,

Christoph