In-App Update Fails to Verify. Manual D/Load 0,8,0 Also Fails to Verify – No Public Key

[madranet]

[OSX 10,11,6]

It's been quite a while since I opened the app, so I'm on some version prior to 0,6,2 which is the version the app says it's going to update to, when I launch it:

It then proceeds to D/load 0,8,0...

But the D/load fails to verify...

So I then D/load manually and follow the instructions given to verify using pgp:

But that fails with a "No Public Key" error

> gpg --digest-algo SHA256 --verify Bisq-0.8.0.dmg{.asc*,}
gpg: Signature made Wed 22 Aug 11:50:08 2018 BST
gpg:                using RSA key CB36D7D2EBB2E35D9B75500BCD5DC1C529CDFD3B
gpg:                issuer "christoph.atteneder@gmail.com"
gpg: Can't check signature: No public key

[ghost]

Christoph's public key is available here:
https://hkps.pool.sks-keyservers.net/pks/lookup?search=christoph.atteneder%40gmail.com&fingerprint=on&op=index

[madranet]

Hmmm...

Not exactly confidence inspiring, given we're dealing with issues of trust & verification here.

EDIT: that server doesn't seem to be running on [or configured properly on] HTTPS. There's no auto redirect from HTTP to HTTPS when accessing it via http://pool.sks-keyservers.net

[madranet]

...and trying to import the key from the URL given in the docs says the signature is "Good" but then warns it's "not certified with a trusted signature!" Which may still mean it's OK –the fingerprints match– so maybe it's just like a self-signed cert warning on HTTPS? But it's certainly confusing for those of us [like me] who aren't that well up on the intricacies of PGP signatures, etc.

Do I trust it or not?

$>  curl https://bisq.network/pubkey/29CDFD3B.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3110  100  3110    0     0  10917      0 --:--:-- --:--:-- --:--:-- 10950
gpg: key CD5DC1C529CDFD3B: "Christoph Atteneder <christoph.atteneder@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$>  gpg --verify Bisq-0.8.0.dmg{.asc*,}
gpg: Signature made Wed 22 Aug 11:50:08 2018 BST
gpg:                using RSA key CB36D7D2EBB2E35D9B75500BCD5DC1C529CDFD3B
gpg:                issuer "christoph.atteneder@gmail.com"
gpg: Good signature from "Christoph Atteneder <christoph.atteneder@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CB36 D7D2 EBB2 E35D 9B75  500B CD5D C1C5 29CD FD3B

Oh. And BTW, the docs don't mention having to import the key first, at all. They just give that one-liner for verifying it.

[ripcurlx]

@madranet The problem in your case is, that my key was added to the Bisq client after version 0.6.2. That's the reason why you experienced the problem. You could download the version direct here from GitHub and verify the build again before installing it. Afterwards updates that are released by myself should work as expected.

[ripcurlx]

You find the url of the signing key in the description of the release.

Url of the signing key (Christoph Atteneder): https://bisq.network/pubkey/29CDFD3B.asc

[madranet]

You find the url of the signing key in the description of the release.

Url of the signing key (Christoph Atteneder): https://bisq.network/pubkey/29CDFD3B.asc

Yep. That's the one I used. See terminal output in my previous post. What I want to know now is, is it safe to ignore the:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

warning that I got at the end?

[ripcurlx]

A "trusted signature" is a signature from a key that you trust, either because (a) you have personally verified that it belongs to the person to whom it claims to belong, or (b) because it has been signed by a key that you trust, possibly through a series of intermediate keys.

Do you get a different warning when you verified a build released and signed by @ManfredKarrer? I think Manfred signed my key publicly. So if you trust his key it also should put my key as trusted.

[madranet]

@ManfredKarrer's key seems to validate OK –apart from the [expected?] warning that it has expired.

$> curl https://bisq.network/pubkey/F379A1C6.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9903  100  9903    0     0  49284      0 --:--:-- --:--:-- --:--:-- 49515
gpg: key F5B84436F379A1C6: 10 signatures not checked due to missing keys
gpg: key F5B84436F379A1C6: public key "Manfred Karrer <manfred@bitsquare.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u

$> gpg --verify Bisq-0.7.0.dmg{.asc*,}
gpg: Signature made Fri 11 May 18:53:50 2018 BST
gpg:                using RSA key 1DC3C8C4316A698AC494039CF5B84436F379A1C6
gpg:                issuer "manfred@bitsquare.io"
gpg: Good signature from "Manfred Karrer <manfred@bitsquare.io>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1DC3 C8C4 316A 698A C494  039C F5B8 4436 F379 A1C6

[ripcurlx]

I'll check with Manfred as soon as he is available again if he could sign my key also with his older expired one. Thanks for the report @madranet - shouldn't be too hard to solve from our side.

[madranet]

Well, I guess it's safe to trust the download this time. Given you're one of the maintainers of the repo. Thanks for your help.

[ripcurlx]

Could you try it with this one https://www.dropbox.com/s/v85qi6zxhq7feeu/29CDFD3B.asc
This should be signed by Manfred's key.

[madranet]

I still get the same error with that one:

$> gpg --import 29CDFD3B\ \(1\).asc
gpg: key CD5DC1C529CDFD3B: 1 signature not checked due to a missing key
gpg: key CD5DC1C529CDFD3B: "Christoph Atteneder <christoph.atteneder@gmail.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$> gpg --verify Bisq-0.8.0.dmg{.asc*,}
gpg: Signature made Wed 22 Aug 11:50:08 2018 BST
gpg:                using RSA key CB36D7D2EBB2E35D9B75500BCD5DC1C529CDFD3B
gpg:                issuer "christoph.atteneder@gmail.com"
gpg: Good signature from "Christoph Atteneder <christoph.atteneder@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CB36 D7D2 EBB2 E35D 9B75  500B CD5D C1C5 29CD FD3B

As I said previously, I'm not very au fait with gpg but the terminal output seems to suggest the new key is 'unchanged' from the previous one. Do I have to do something to discard the old one first, before importing the new one?

[ripcurlx]

What is printed if you enter gpg --list-sigs 29CDFD3B?

[madranet]

That gives me:

$> gpg --list-sigs 29CDFD3B
pub   rsa4096 2017-07-27 [SC] [expires: 2021-07-27]
      CB36D7D2EBB2E35D9B75500BCD5DC1C529CDFD3B
uid           [ unknown] Christoph Atteneder <christoph.atteneder@gmail.com>
sig          401250966A6B2C46 2018-08-24  [User ID not found]
sig          F5B84436F379A1C6 2018-08-24  Manfred Karrer <manfred@bitsquare.io>
sig 3        CD5DC1C529CDFD3B 2017-07-27  Christoph Atteneder <christoph.atteneder@gmail.com>
sub   rsa4096 2017-07-27 [E] [expires: 2021-07-27]
sig          CD5DC1C529CDFD3B 2017-07-27  Christoph Atteneder <christoph.atteneder@gmail.com>

[ripcurlx]

Hmm... That prints Manfreds key that was also used for signing the other build. Actually I thought this should work. I think we have to wait for @ManfredKarrer to clarify this. Unfortunately I'm not a hardcore gpg user myself.

[ManfredKarrer]

At version 0.6.2. Chrisophs gpg key was not added to the binary so that is why the verification fails from the in-app downloader.

Christophs key is here: https://github.com/bisq-network/bisq/releases/download/v0.8.0/29CDFD3B.asc
The key used for signing the binary is defined here: https://github.com/bisq-network/bisq/releases/download/v0.8.0/signingkey.asc (-> 29CDFD3B)

The gpg warning are unfortunately confusing. See: https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key

Yes the instruction misses the importing of the key. I will add that.

As people should not install old versions I leave the expired key on Github. If I do a new release I will upload an updated key.

[madranet]

As people should not install old versions I leave the expired key on Github. If I do a new release I will upload an updated key

The problem was not caused initially by trying to install an old version per se, but by an already installed older version of the desktop app [0,6,x - with a cert signed by @ManfredKarrer] trying to update itself to a newer version [0,8,0 - with a cert signed by @ripcurlx].

Bit of an edge case, I'll grant you. But it did lead into a morass of confusion.