Update 4 about Bisq Exploit response

During final preparations to release the new Bisq1 version, some unforeseen issues have caused a minor delay, approximately 1 day from the original timeline.

On the bright side, these developments have prompted the team to include a native aarch64 build alongside the usual amd64 packages. Preliminary tests show that this version, which doesn’t require Rosetta on Apple Silicon devices, runs noticeably faster than the amd64 version running under Rosetta.

The overall testing phase is now in its final stage.

That’s great news!. I’m just learning about this compromise now. As a forensic security professional for more then 20 years, I have some concerns about this new release. Particularly the way you dismissed the concerns about the signing key in some of the other threads. @hardhatarea’s concerns were (almost) 100% correct, and your reply about trust suggested a misunderstanding about how the PGP cryptographic web-of-trust functions. Are you, yourself, able to create PGP keys and use them to sign other keys, and files? If not, then with all respect, you’re not qualified to comment on the (cryptographic) trust of the releases.

The concern is not a PR matter, and it has nothing to do with how much trust you personally have in one developer or another. The cryptographic web-of-trust has certain rigorous standards to adhere to to maintain trust in a release. That’s why we use it to validate software.

For those who don’t understand: when a private key is used to sign a release, it indicates that the holder of that private key has taken responsibility for the release being a good release. There are clear standards and precedents to use when a developer leaves, to maintain this web-of-trust as the project passes to a new developer who has a different private key. (Those standards were not addressed in your comment about Henrik’s key being used instead of Alejandro’s.)

If a different key is used to sign a new release, without these cryptographically rigorous processes, then it raises the question of why wasn’t the original developer part of this new release? Simply posting on a forum that you trust the new dev team is not cryptographically rigorous, and cryptographic rigor is the only way for the wider community to trust the release. That’s why we use PGP.

All of this feels worryingly familiar. It reminds me of many years ago when TrueCrypt came out with a new release, but it was quite obvious that it had been compromised so the project ended there. It also reminds me of when PIA VPN’s warrant canary disappeared. The PR team said it’s nothing to worry about but that is what they would say if the project had been compromised.

It also reminds me of when the OTR messaging protocol disappeared, shortly after a leak showed that it was one of the two protocols (PGP being the other) that was giving the NSA a hard time. The code couldn’t be cracked, and suddenly the project’s website said that people should start using a different protocol (OMEMO). But the keys that had been used to sign OTR weren’t used for OMEMO, so it was pretty clearly a takeover of the project.

I’m not saying that is what’s happening here. But it certainly could be, and the best way to make it clear that hasn’t happened, is for Alejandro to use the same key he used to sign the previous releases, to sign the new release. Otherwise, you have to wonder why the dev team got switched around just at this moment.

It’s even more worrying, since there is major crypto legislation in the USA right now (the Clarity Act) and I’ve been following this more closely than the Bisq exploit. I don’t want to make any public guesses, but if you read the above (about OTR etc.) and look at the timing of the Bisq exploit, it raises serious questions and the pattern feels a little familiar.

If you continue to treat this like a Public Relations issue, and try to “handle” the people who bring the concerns up, these questions will never go away. The only correct way to address them is with technically rigorous proof that the project is under the same development team - and because the Bisq project has previously chosen to use Alejandros’s PGP key to validate releases, technical rigor now can only be satisfied if Alejandro uses the exact same key to sign the new release.

Please take this seriously. It would be awful if Bisq had been taken over. It would be worse if trust in Bisq vanishes because you’re not taking it seriously.

Context to the binary signing process used for that release:

Alejandro García (key ID E222AA02) built all binaries except the new aarch64 macOS target, as he does not yet have a VM configured for it. Therefore, Henrik Jannsen (key ID 387C8307) provided the aarch64 macOS binary and signed the binaries he received from Alejandro.

Our in-app verification tool does not currently support mixed keys or signatures. It reads the key ID specified in signingkey.asc and applies it uniformly to all binaries. For this reason, Henrik re-signed all binaries using his own key so that the verification process remains consistent and compatible with the current implementation.

Please note that both Alejandro García and Henrik Jannsen are official release managers for Bisq 1 and Bisq 2. Their public keys have been included in the source code for a long time and are distributed with the application to enable independent key verification and cross-checking.

The partial_signatures_by_E222AA02.zip contains the original signatures provided by Alejandro. Users can use those to verify the binaries (except aarch64 macOS) using key E222AA02.

Relevant references:

• github.com/bisq-network/bisq/tree/master/desktop/src/main/resources/keys
• https://bisq.network/pubkey/E222AA02.asc
• https://bisq.network/pubkey/387C8307.asc

The release process will be further improved in the next version through the introduction of reproducible builds.

I added that note to the release page and the partial_signatures_by_E222AA02.zip file to the assets. Hope that explains and resolves the confusion.

Thanks @noremote for this analysis. I’m curious if @HenrikJannsen ‘s reply addresses your concerns?

I’m not very informed about security, and I have only used Bisq once before. But I am a maintaner and forum moderator of a (completely unrelated) open-source project, and it was a major red flag to see that user hardhatarea was suspended for asking questions. As a non-expert, I rely on an assumption that the open-source community around a project like this is ensuring its security. Seeing that discussion be suppressed elevated my suspicion from curiosity to distrust.

When I installed an older version of Bisq last year, I verified it with Alejandro’s key (I only know this because it is saved in my gpg). I don’t think I have a way to know that Henrik’s key has been trusted in the past, or should be trusted now (other than being told it on a forum, which does not seem very secure). Given @HenrikJannsen’s explanation, it is still unclear to me why the signer needed to change, especially in light of the questions previously raised on the forum about this. Couldn’t Alejandro have gotten the binaries from Henrik and signed them instead?

I apologize for my relative ignorance of cryptographic security, but I assume there are other users like me who would benefit from a dumbed down explanation. Is there any cryptographically secure way for me to know that the aarch64 mac binaries were released by the same developers as the version I used last year? Unfortunately I think I will have to look for a different exchange until my perception of the community trust around Bisq goes back up.

Hi, thanks for replying. This is an important issue, and your reply makes a huge difference. I’m going to quote from your reply, and then respond to that.

Therefore, Henrik Jannsen (key ID 387C8307) provided the aarch64 macOS binary and signed the binaries he received from Alejandro.

Thank you for explaining, and this seems plausible, but it’s no substitute for proper key signing. The problem is that Henrik Jannsen’s key is not on the download page, has never been on the downloads page, and may or may not even be signed by Alejandro’s key. Also, the key that is on the download page (Alejandro’s key) is not the one used to sign the releases. (Also the version of Alejandro’s key that is on the download page actually expired in 2024, and although I know that it was updated, the updated version was not shared on the download page.)

Their public keys have been included in the source code for a long time and are distributed with the application to enable independent key verification and cross-checking.

The only key on the website is Alejandro’s. Also, have Alejandro and Henrik signed each others’ keys? If so, this would go a long way to easing my concerns. If they haven’t, then there’s no web of trust between those keys. Fortunately, this can still be rectified if they sign each others’ keys now and if they post the updated keys on the downloads page. (The reason this is secure, to anyone reading who is not expert with PGP, is because so long as the private keys have not changed, and at least Alejandro’s has not, then even if the signatures come after the face, that’s still rigorous proof that these two individuals trust each others’ keys.)

The partial_signatures_by_E222AA02.zip contains the original signatures provided by Alejandro. Users can use those to verify the binaries (except aarch64 macOS) using key E222AA02.

This sounds correct, but I do not see this file on the downloads page.

We seem to have a disconnect regarding which keys, files, and signatures are available. Please see the attached screenshot.

Bisq1.10Alejandro1053×681 64.7 KB

There is no “partial_signatures_by_E222AA02.zip” file on the page. However, if you would be willing to provide this file, and if this file contains the SHA or other hashes for the downloadable files, and this file is also signed by Alejandro, then - problem solved! Could you please make this file available? If it is as you describe, it would solve everything.

I also strongly request that Henrik and Alejandro sign each others’ keys, and share the updated keys on the download site.

Thank you again for replying. I think this is great progress and I look forward to your reply.

If a file which contains the SHA512sum (or similar) hashes for the new (v1.10.0) files is released, and if Alejandro signs this file that contains the signatures, that would suffice.

Also, if Alejandro signs Henrik’s key (and vice versa, just to be safe), that would be pretty darned good proof we can trust Henrik’s key. But the first option, above (which @HenrikJannsen seems to hint at in his reply) would be equivalent to Alejandro actually signing each individual file, as he has for previous versions. (Actually they should both sign that file, but it is Alejandro’s signature which matters at the moment, because he has signed recent releases..)

This is intended as my last reply on this matter, and I’d like the flare-up to stop altogether.

Henrik has been a key Bisq contributor since late 2022, and Bisq wouldn’t even be here without his contributions, as can be verified on public GitHub pages.

User “purplemonstera”, who created his account right before publishing his post, stated that “hardheadarea” was suspended for asking questions. Public posts show this is false, as the suspension was due to repeated combative behavior toward staff and ignoring their guidance.

He also stated that Alejandro did not receive or sign the binaries, ignoring Henrik’s reply above his own, sharing a link to all binaries except the aarch64 build that Alejandro had also signed. If he doesn’t trust the aarch64 binaries, he can use the amd64 ones under Rosetta, as he must have been doing until 1.9.22.

Alejandro’s signature of Henrik’s key should be published soon.

With regards to the binaries signed by Alejandro, those can be downloaded from the GitHub release page for version 1.10.

That’s fine. Your keys are not part of the discussion. This thread is basically a good conversation between @HenrikJannsen and myself, which is nearing fruition and I’m sure shall remain perfectly civil.

That is wonderful news! Will there be an announcement on the forum, or will it be on the https://bisq.downloads page, or somewhere else? Cryptographically, it does not matter where it is published.