Testing for the new release has reached an advanced stage.
Current work is focused primarily on DAO sync stability, alongside finalizing a deterministic build, which are the main remaining tasks before release readiness.
There is still no official ETA, but the process is approaching its final stages.
Thank you for your hard work on this. Better to wait for a good solution than to rush an improper one.
Something I mentioned in another thread: when the new version does come out, please make 120% certain it is properly signed by the key you have used for recent releases:
```
B493319106CC3D1F252E19CBF806F422E222AA02
uid Alejandro GarcĂa alejandro.garcia@disroot.org
sub rsa4096/0xE7F08D07C72561D0 2022-09-28 [E] [expires: 2026-10-03]
```
Some time ago, Bisq improperly managed a transition to a new key, and people still talk about the fact that this could indicate a compromise. After an exploit, it is even more important to use the same signing key, or any security professional would assume this is evidence Bisq has been compromised, (given exploit+new-key). So please please please use the key above to sign the release.
(And it would not hurt to fix the old, cryptographically unsound key swap from years ago.)
Thank you again for your hard work.
If Alejandro’s key will not work, Henrik’s will, so that is covered in any case 
Why would Alejandro’s key not work? This is the potential crisis I hope to see you guys avoid. Since only Alejandro’s key has been used for recent releases, switching to a different key is going to be an indication of a compromise. It’s not enough to have “some key” sign the release, it’s very important to have consistent chain. If any key other than B493319106CC3D1F252E19CBF806F422E222AA02 signs the new release, it is 0.00% “covered. That’s how PGP/GPG and trust works.
Releases are signed by one of the two release managers, and HenrikJannsen is a release manager.
Please stop spreading unfounded concerns.
No. You are avoiding the subject, and talking nonsense, in terms of verification/PGP/security. This concern is not unfounded, and the fact that you do not see it (or pretend not to) is even more concerning, like making excuses. The concern I raised is fundamental, and also completely unaddressed. If the release is not signed by the same key that signed the last several releases (which, again, is B493319106CC3D1F252E19CBF806F422E222AA02), then the concern is very well founded that the same team is not working on this fix.
This is very standard PGP security/verification, and Bisq has a history of making light of this, and it has already caused problems for the trust Bisq enjoys. For example you can see how the Whonix team responds to the previous gpg failure here: Bisq: The P2P Exchange Network
But this time when the exploit is so recent, if Bisq fails to use the proper key (which in this case is B493319106CC3D1F252E19CBF806F422E222AA02, not HenrikJannsen’s key, although it’s fine to also use that - provided it is signed by Alejandro’s key, above), after a big exploit, it would erode trust in Bisq. This is proper because you would be breaking the basic PGP verification principles at a moment of crisis, so what else should people think?
I will not focus on the issue of the message in Bisq regarding the new version, because (a) I address that in another thread Bisq Exploit Update 2 - #11 by suddenwhipvapor) and (b) if the GPG key (B493319106CC3D1F252E19CBF806F422E222AA02) is used to sign the new version, we can have some confidence that the message was just poor phrasing in the heat of the moment. But if that key is not used, there should be no trust left in Bisq, considering the gravity of the exploit.
User suspended for combative behavior and failure to follow staff guidance.
Hi, I’m new. I’ve been using Bisq for a while now and I like it. I’m not trying to appear combative but I have to admit that I share some of hardheadarea’s concerns. They might have misread suddenwhipvapor’s statement in the same I initilally did: Instead of “If Alejandro’s key will not work, Henrik’s will” I was under the impression that Alejandro’s key will certainly not be used anymore. Multiple release managers with their own keys aren’t unheard of but like hardheadarea I’m used to consistent signing keys.
Should future releases not be signed by Alejandro, it would be reassuring to see the new key signed by Alejandro’s. If that’s not possible, an explanation why that is would be calming. If that has already been done I apologize and humbly ask for a link.
Thank you for your post, we actively want to address concerns and resolve doubts as that is the main way of gaining users’ trust.
We also expect that communication be kept on a civil and constructive, non-dismissive tone, and your post is an excellent example of that.
Henrik is a very active developer at Bisq, as is evident from the GitHub repository, and being PGP keys based on trust (built on cryptographic verifiability, but still needing trust at their root) he is an inherently trusted signer, as a big part of the project relies on his contributions.
Nonetheless I will forward your concern to the team.