Difference between revisions of "Downloading and installing"
Plebeian9000 (talk | contribs) m (Plebeian9000 moved page Download and install to Downloading and installing: use gerunds in title per style guide) |
(add images) |
||
| (44 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
| − | [ | + | To use Bisq, you must first '''[https://bisq.network/downloads/ download and install]''' it. Most exchanges are centralized exchanges running on servers controlled by the exchange. Bisq is decentralized, running only on the desktops of Bisq users. |
| − | + | Bisq manages offers to trade using a peer-to-peer network. This is a global network made of users who are also running Bisq on their own computers. | |
| − | + | Centralized services are easy to monitor, block, and shut down, while peer-to-peer networks like BitTorrent, Bitcoin and Bisq are difficult to surveil, censor, shut down or hack. | |
| − | + | All of this means that if you want to use the Bisq network, you must download and run the software on your own machine. | |
| − | |||
| − | All of this means that if you want to use the Bisq network, | ||
== Download Bisq == | == Download Bisq == | ||
| Line 14: | Line 12: | ||
There's also a community-maintained [https://snapcraft.io/bisq-desktop Snap package] for various Linux distributions. | There's also a community-maintained [https://snapcraft.io/bisq-desktop Snap package] for various Linux distributions. | ||
| + | |||
| + | {{Admonition_Note|See [[#OS-specific_install_notes|install notes for various Linux distributions below]].}} | ||
You can download the installer for your operating system and install Bisq right away, but we strongly recommend that you [[ #Verify installer file | verify the integrity ]] of your installer file first. | You can download the installer for your operating system and install Bisq right away, but we strongly recommend that you [[ #Verify installer file | verify the integrity ]] of your installer file first. | ||
| Line 21: | Line 21: | ||
== Verify installer file == | == Verify installer file == | ||
| − | + | === Bisq2 specific instructions === | |
| + | |||
| + | Bisq2 can be downloaded [https://bisq.network/downloads/ here]. Before installing software that manages your funds, you should always verify the installer has not been tampered with, to avoid the risk of losing funds due to a compromised download. | ||
| − | + | Usually, installation binaries are signed by Alejandro García (key ID: E222AA02, primary release manager). However, since this key has expired — and the expired key was included in previous versions of the Bisq2 app — the in-app verification process would fail when attempting to download version 2.1.2. To prevent this issue, the secondary release manager assumed responsibility for signing that release. The signingkey.asc file specifies the key used for signing the binaries. | |
| − | + | HenrikJannsen's signing key can be downloaded [https://bisq.network/pubkey/387C8307.asc here] (full fingerprint: B8A5 D214 ADFA A387 A14C 8BCF 02AA 2BAE 387C 8307). | |
| − | + | To import the key in Linux and MacOS: | |
| − | + | <nowiki>curl https://bisq.network/pubkey/387C8307.asc | gpg --import </nowiki> | |
| − | + | GPG will return "This key is not certified with a trusted signature!", this is normal (see https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key for background information what it means) | |
| − | + | To verify the installer against the signature: | |
| − | + | <nowiki>gpg --digest-algo SHA256 --verify BINARY{.asc*,}</nowiki> | |
| − | + | Replace BINARY with the name of the file you downloaded. | |
| − | + | In Windows. you can import the key, and subsequently verify the installer, by using [https://www.gpg4win.org/download.html Kleopatra]. | |
| − | === | + | Any software that manages funds, signs transactions, and deals with highly sensitive data is a prime target for malware. Bisq does all three. Therefore, it is highly recommended that you verify the integrity of the installer file you use to install Bisq. |
| + | |||
| + | This verification is something that you should do for the initial Bisq install. After the initial install, you will be prompted to install updates through Bisq's interface. The Bisq software will verify the integrity of updates for you. | ||
| + | |||
| + | Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is <code>E222AA02</code> and fingerprint is <code>B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02</code>, which you can verify through [https://github.com/bisq-network/bisq/commits?author=alejandrogarcia83 commits on GitHub]. | ||
| + | |||
| + | The full public key is available [https://bisq.network/pubkey/E222AA02.asc here on the Bisq website]. | ||
| + | |||
| + | <span id="bisq-1-obtain-signature-files-for-installer-files"></span> | ||
| + | = Bisq 1: Obtain signature files for installer files = | ||
| + | |||
| + | All Bisq releases are cryptographically signed by its maintainer. Users can ensure that nobody tampered with the release by verifying its signatures. It’s recommended to download the GPG key from an independent keyserver (such as [https://keys.openpgp.org/ keys.openpgp.org] or [https://keyserver.ubuntu.com/ keyserver.ubuntu.com] to ensure that no adversary replaced the GPG keys and signatures on the release server. | ||
| + | |||
| + | Bisq 1 releases are signed either by Alejandro García (alejandrogarcia83) or Gabriel Bernard (gabernard). Here are the public key ids and fingerprints of both keys: | ||
| − | + | Alejandro García (public key id <code>0xF806F422E222AA02</code>): <code>B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02</code> Gabriel Bernard (public key id <code>0x6C8D14D84A133008</code>): <code>1655 3BA9 2694 95EE 53BB A33A 6C8D 14D8 4A13 3008</code> | |
| − | + | <span id="windows"></span> | |
| + | == Windows == | ||
| − | Download | + | <span id="download-and-install-gpg4win"></span> |
| + | === Download and install Gpg4win === | ||
| − | + | Windows does not come with GPG software installed by default, so you will need to install it in order to verify Bisq’s installer files. You can get Gpg4win [https://www.gpg4win.org/ here]. Double-click the installer file and proceed to install with all default settings. | |
| − | + | <span id="import-alejandro-garcías-key"></span> | |
| + | === Import Alejandro García’s key === | ||
| − | + | Open Kleopatra (part of Gpg4win) and click on “Lookup on Server”. | |
| − | + | [[File:Image_1.cleaned.png]] | |
| − | + | Next type into the search field <code>alejandro.garcia@disroot.org</code> and press on search. You’ll see the following output: | |
| − | + | [[File:Image 2.cleaned.png]] | |
| − | + | Press on “Details…” to see the key’s fingerprint and confirm that it is correct. | |
| − | + | [[File:Image 3.cleaned.png]] | |
| − | + | After verifying that the fingerprint is correct, press on “Close” and press on “Import” to import the key. | |
| − | + | <span id="verify-the-signature-of-the-binary-you-downloaded"></span> | |
| + | === Verify the signature of the binary you downloaded === | ||
| − | + | With the <code>install-file.exe</code> and <code>signature-file.exe.asc</code> in the same directory, double-click on the <code>.exe.asc</code> file. | |
| − | + | You should see a Kleopatra window pop up with a green progress bar that says “Verified .exe with .exe.asc”. The program will continue to say “The data could not be verified” in bold but you can disregard that message. | |
| − | + | This means the installer file we downloaded is intact and as intended. You can proceed to install Bisq by double-clicking the .exe file. | |
| − | + | <span id="mac-and-linux"></span> | |
| + | == Mac and Linux == | ||
| − | + | <span id="import-alejandro-garcías-key-1"></span> | |
| + | === Import Alejandro García’s key === | ||
| − | + | To import Alejandro García’s open a terminal and run: | |
| − | + | <pre>gpg --receive-keys 0xF806F422E222AA02</pre> | |
| + | Next you need to verify key’s fingerprint and tell GPG to trust the key. First run: | ||
| − | + | <pre>gpg --edit-key 0xF806F422E222AA02</pre> | |
| + | Then type: | ||
| − | + | <pre>fpr</pre> | |
| + | Now ensure that you see the same output as here: | ||
| − | + | <pre>gpg> fpr | |
| + | pub rsa4096/0xF806F422E222AA02 2022-09-28 Alejandro García <alejandro.garcia@disroot.org> | ||
| + | Primary key fingerprint: B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02</pre> | ||
| + | If the fingerprint matches you can trust the key. To trust the key type: | ||
| − | + | <pre>trust</pre> | |
| + | Now you’ll see following output: | ||
| − | + | <pre>gpg> trust | |
| − | + | pub rsa4096/0xF806F422E222AA02 | |
| − | + | created: 2022-09-28 expires: 2026-10-03 usage: SC | |
| − | + | trust: unknown validity: unknown | |
| + | sub rsa4096/0xE7F08D07C72561D0 | ||
| + | created: 2022-09-28 expires: 2026-10-03 usage: E | ||
| + | [ unknown] (1). Alejandro García <alejandro.garcia@disroot.org> | ||
| − | + | Please decide how far you trust this user to correctly verify other users' keys | |
| + | (by looking at passports, checking fingerprints from different sources, etc.) | ||
| − | '' | + | 1 = I don't know or won't say |
| + | 2 = I do NOT trust | ||
| + | 3 = I trust marginally | ||
| + | 4 = I trust fully | ||
| + | 5 = I trust ultimately | ||
| + | m = back to the main menu | ||
| − | + | Your decision?</pre> | |
| + | Type <code>5</code> to trust to the key and you’ll see following output: | ||
| − | + | <pre>Do you really want to set this key to ultimate trust? (y/N) </pre> | |
| + | Now type <code>y</code> to confirm. Now you can quit by typing <code>quit</code>. | ||
| − | + | <span id="verify-the-signature-of-the-binary-you-downloaded-1"></span> | |
| + | === Verify the signature of the binary you downloaded === | ||
| − | + | With the installer file and installer signature file in the same directory, run: | |
| − | + | <pre>gpg --verify INSTALLER.asc INSTALLER</pre> | |
| + | Where <code>INSTALLER.asc</code> is the filename of the <code>.asc</code> file you just downloaded. | ||
| − | + | You should see an output similar to this: | |
| − | + | <pre>gpg: Signature made Fri 22 Nov 2024 07:42:50 PM UTC | |
| + | gpg: using RSA key B493319106CC3D1F252E19CBF806F422E222AA02 | ||
| + | gpg: checking the trustdb | ||
| + | gpg: marginals needed: 3 completes needed: 1 trust model: pgp | ||
| + | gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u | ||
| + | gpg: next trustdb check due at 2026-10-03 | ||
| + | gpg: Good signature from "Alejandro García <alejandro.garcia@disroot.org>" [ultimate]</pre> | ||
| − | |||
== Build from source == | == Build from source == | ||
| − | [https://github.com/bisq-network/bisq/blob/master/docs/build.md Building Bisq from source] requires | + | [https://github.com/bisq-network/bisq/blob/master/docs/build.md Building Bisq from source] requires only a single command once you have the correct JDK installed on your machine. |
Finding and installing the correct JDK can sometimes be frustrating, so Bisq's developers have written scripts to make it easier: | Finding and installing the correct JDK can sometimes be frustrating, so Bisq's developers have written scripts to make it easier: | ||
| Line 125: | Line 171: | ||
== OS-specific install notes == | == OS-specific install notes == | ||
| + | |||
| + | === macOS === | ||
| + | |||
| + | Starting with version v1.9.6, we remove notarization from our build pipeline because of of the risk of Apple certification revocation (see https://github.com/bisq-network/bisq/discussions/6341). Unfortunately this will require extra steps when installing Bisq on macOS. | ||
| + | |||
| + | You will receive an error popup saying that Bisq ''is damaged and can't be opened. You should move it to the Trash''. | ||
| + | |||
| + | Please follow the guide at https://support.apple.com/en-us/HT202491 in the section ''If you want to open an app that hasn’t been notarized or is from an unidentified developer'' | ||
| + | |||
| + | If you are running already macOS Ventura (13.0+) you need to do following to be able to start Bisq: | ||
| + | * enter following command in Apple Terminal <code>sudo xattr -rd com.apple.quarantine /Applications/Bisq.app</code> | ||
| + | * hit enter and you will be prompted to enter your password to be able to execute the command as super user | ||
| + | |||
| + | After running this successfully you should be able to start Bisq as always. | ||
| + | |||
| + | If this procedure still does not allow you to install Bisq, a last resort workaround is to install Bisq in a Linux Virtual Machine running on your system. | ||
| + | |||
| + | === Windows === | ||
| + | |||
| + | Starting with version v1.9.6, we remove the developer code signing because of the same reason as with Apple. | ||
| + | |||
| + | For Windows you just have to ignore the warning after you have verified the installation file yourself and proceed with the installation. | ||
| + | |||
| + | === Linux (General) === | ||
| + | |||
| + | Bisq works with a number of Linux distros, but not all desktop environments are supported. | ||
| + | |||
| + | These are all known compatible desktop environments. This is a growing list. If you find another compatible desktop, please inform us so it can be added. | ||
| + | |||
| + | * GNOME | ||
| + | * Mate | ||
| + | * Xfce | ||
| + | * KDE Plasma | ||
| + | * Cinnamon | ||
| + | |||
| + | Bisq might not work properly if you switch from the original desktop environment of your Linux distribution to a different one. | ||
| + | |||
| + | Note: users with discrete GPUs may encounter issues launching Bisq in some desktop environments. | ||
=== Arch Linux === | === Arch Linux === | ||
| Line 132: | Line 216: | ||
# From the command line, clone the repository from AUR. | # From the command line, clone the repository from AUR. | ||
# Then from the cloned directory, run <code>makepkg -si</code>. This will read the PKGBUILD file to download, verify, build, and install the various tools necessary to install Bisq. | # Then from the cloned directory, run <code>makepkg -si</code>. This will read the PKGBUILD file to download, verify, build, and install the various tools necessary to install Bisq. | ||
| + | |||
| + | If the version found on AUR is not up to date, you can read [[Fix_Arch_release]]. | ||
Please be advised: when you're using AUR, you're responsible for your own safety. Be sure to verify the PKGBUILD file. | Please be advised: when you're using AUR, you're responsible for your own safety. Be sure to verify the PKGBUILD file. | ||
| + | |||
| + | === Gentoo === | ||
| + | |||
| + | Use <code>eselect repository enable booboo</code> to use the 'booboo' overlay which carries the binaries, and then emerge <code>bisq</code> | ||
| + | |||
| + | === Tails === | ||
| + | |||
| + | Please see [[Running Bisq on Tails]] for details on downloading, installing, and configuring Bisq on Tails. | ||
| + | |||
| + | === Qubes === | ||
| + | |||
| + | Please see [[Running Bisq on Qubes]] for a detailed Qubes setup guide. | ||
| + | |||
| + | == Update Bisq == | ||
| + | |||
| + | Installing a new Bisq version will update Bisq. More details at [[Updating Bisq]]. | ||
| + | |||
| + | |||
| + | [[Category:Use Cases]] | ||
Latest revision as of 08:45, 28 January 2025
To use Bisq, you must first download and install it. Most exchanges are centralized exchanges running on servers controlled by the exchange. Bisq is decentralized, running only on the desktops of Bisq users.
Bisq manages offers to trade using a peer-to-peer network. This is a global network made of users who are also running Bisq on their own computers.
Centralized services are easy to monitor, block, and shut down, while peer-to-peer networks like BitTorrent, Bitcoin and Bisq are difficult to surveil, censor, shut down or hack.
All of this means that if you want to use the Bisq network, you must download and run the software on your own machine.
Contents
Download Bisq
The most convenient way to install Bisq on your machine is from a pre-built install file from the Bisq website or latest GitHub release.
There's also a community-maintained Snap package for various Linux distributions.
 |
See install notes for various Linux distributions below. |
You can download the installer for your operating system and install Bisq right away, but we strongly recommend that you verify the integrity of your installer file first.
If you have issues, please check the Known issues with installation section in release notes.
Verify installer file
Bisq2 specific instructions
Bisq2 can be downloaded here. Before installing software that manages your funds, you should always verify the installer has not been tampered with, to avoid the risk of losing funds due to a compromised download.
Usually, installation binaries are signed by Alejandro García (key ID: E222AA02, primary release manager). However, since this key has expired — and the expired key was included in previous versions of the Bisq2 app — the in-app verification process would fail when attempting to download version 2.1.2. To prevent this issue, the secondary release manager assumed responsibility for signing that release. The signingkey.asc file specifies the key used for signing the binaries.
HenrikJannsen's signing key can be downloaded here (full fingerprint: B8A5 D214 ADFA A387 A14C 8BCF 02AA 2BAE 387C 8307).
To import the key in Linux and MacOS:
curl https://bisq.network/pubkey/387C8307.asc | gpg --import
GPG will return "This key is not certified with a trusted signature!", this is normal (see https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key for background information what it means)
To verify the installer against the signature:
gpg --digest-algo SHA256 --verify BINARY{.asc*,}
Replace BINARY with the name of the file you downloaded.
In Windows. you can import the key, and subsequently verify the installer, by using Kleopatra.
Any software that manages funds, signs transactions, and deals with highly sensitive data is a prime target for malware. Bisq does all three. Therefore, it is highly recommended that you verify the integrity of the installer file you use to install Bisq.
This verification is something that you should do for the initial Bisq install. After the initial install, you will be prompted to install updates through Bisq's interface. The Bisq software will verify the integrity of updates for you.
Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is E222AA02 and fingerprint is B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02, which you can verify through commits on GitHub.
The full public key is available here on the Bisq website.
Bisq 1: Obtain signature files for installer files
All Bisq releases are cryptographically signed by its maintainer. Users can ensure that nobody tampered with the release by verifying its signatures. It’s recommended to download the GPG key from an independent keyserver (such as keys.openpgp.org or keyserver.ubuntu.com to ensure that no adversary replaced the GPG keys and signatures on the release server.
Bisq 1 releases are signed either by Alejandro García (alejandrogarcia83) or Gabriel Bernard (gabernard). Here are the public key ids and fingerprints of both keys:
Alejandro García (public key id 0xF806F422E222AA02): B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02 Gabriel Bernard (public key id 0x6C8D14D84A133008): 1655 3BA9 2694 95EE 53BB A33A 6C8D 14D8 4A13 3008
Windows
Download and install Gpg4win
Windows does not come with GPG software installed by default, so you will need to install it in order to verify Bisq’s installer files. You can get Gpg4win here. Double-click the installer file and proceed to install with all default settings.
Import Alejandro García’s key
Open Kleopatra (part of Gpg4win) and click on “Lookup on Server”.
Next type into the search field alejandro.garcia@disroot.org and press on search. You’ll see the following output:
Press on “Details…” to see the key’s fingerprint and confirm that it is correct.
After verifying that the fingerprint is correct, press on “Close” and press on “Import” to import the key.
Verify the signature of the binary you downloaded
With the install-file.exe and signature-file.exe.asc in the same directory, double-click on the .exe.asc file.
You should see a Kleopatra window pop up with a green progress bar that says “Verified .exe with .exe.asc”. The program will continue to say “The data could not be verified” in bold but you can disregard that message.
This means the installer file we downloaded is intact and as intended. You can proceed to install Bisq by double-clicking the .exe file.
Mac and Linux
Import Alejandro García’s key
To import Alejandro García’s open a terminal and run:
gpg --receive-keys 0xF806F422E222AA02
Next you need to verify key’s fingerprint and tell GPG to trust the key. First run:
gpg --edit-key 0xF806F422E222AA02
Then type:
fpr
Now ensure that you see the same output as here:
gpg> fpr pub rsa4096/0xF806F422E222AA02 2022-09-28 Alejandro García <alejandro.garcia@disroot.org> Primary key fingerprint: B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02
If the fingerprint matches you can trust the key. To trust the key type:
trust
Now you’ll see following output:
gpg> trust
pub rsa4096/0xF806F422E222AA02
created: 2022-09-28 expires: 2026-10-03 usage: SC
trust: unknown validity: unknown
sub rsa4096/0xE7F08D07C72561D0
created: 2022-09-28 expires: 2026-10-03 usage: E
[ unknown] (1). Alejandro García <alejandro.garcia@disroot.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision?
Type 5 to trust to the key and you’ll see following output:
Do you really want to set this key to ultimate trust? (y/N)
Now type y to confirm. Now you can quit by typing quit.
Verify the signature of the binary you downloaded
With the installer file and installer signature file in the same directory, run:
gpg --verify INSTALLER.asc INSTALLER
Where INSTALLER.asc is the filename of the .asc file you just downloaded.
You should see an output similar to this:
gpg: Signature made Fri 22 Nov 2024 07:42:50 PM UTC gpg: using RSA key B493319106CC3D1F252E19CBF806F422E222AA02 gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2026-10-03 gpg: Good signature from "Alejandro García <alejandro.garcia@disroot.org>" [ultimate]
Build from source
Building Bisq from source requires only a single command once you have the correct JDK installed on your machine.
Finding and installing the correct JDK can sometimes be frustrating, so Bisq's developers have written scripts to make it easier:
OS-specific install notes
macOS
Starting with version v1.9.6, we remove notarization from our build pipeline because of of the risk of Apple certification revocation (see https://github.com/bisq-network/bisq/discussions/6341). Unfortunately this will require extra steps when installing Bisq on macOS.
You will receive an error popup saying that Bisq is damaged and can't be opened. You should move it to the Trash.
Please follow the guide at https://support.apple.com/en-us/HT202491 in the section If you want to open an app that hasn’t been notarized or is from an unidentified developer
If you are running already macOS Ventura (13.0+) you need to do following to be able to start Bisq:
- enter following command in Apple Terminal
sudo xattr -rd com.apple.quarantine /Applications/Bisq.app - hit enter and you will be prompted to enter your password to be able to execute the command as super user
After running this successfully you should be able to start Bisq as always.
If this procedure still does not allow you to install Bisq, a last resort workaround is to install Bisq in a Linux Virtual Machine running on your system.
Windows
Starting with version v1.9.6, we remove the developer code signing because of the same reason as with Apple.
For Windows you just have to ignore the warning after you have verified the installation file yourself and proceed with the installation.
Linux (General)
Bisq works with a number of Linux distros, but not all desktop environments are supported.
These are all known compatible desktop environments. This is a growing list. If you find another compatible desktop, please inform us so it can be added.
- GNOME
- Mate
- Xfce
- KDE Plasma
- Cinnamon
Bisq might not work properly if you switch from the original desktop environment of your Linux distribution to a different one.
Note: users with discrete GPUs may encounter issues launching Bisq in some desktop environments.
Arch Linux
The Bisq downloads page includes a link to the Arch User Repository (AUR) page for the bisq package.
- From the command line, clone the repository from AUR.
- Then from the cloned directory, run
makepkg -si. This will read the PKGBUILD file to download, verify, build, and install the various tools necessary to install Bisq.
If the version found on AUR is not up to date, you can read Fix_Arch_release.
Please be advised: when you're using AUR, you're responsible for your own safety. Be sure to verify the PKGBUILD file.
Gentoo
Use eselect repository enable booboo to use the 'booboo' overlay which carries the binaries, and then emerge bisq
Tails
Please see Running Bisq on Tails for details on downloading, installing, and configuring Bisq on Tails.
Qubes
Please see Running Bisq on Qubes for a detailed Qubes setup guide.
Update Bisq
Installing a new Bisq version will update Bisq. More details at Updating Bisq.
