github bisq-network/bisq2 v2.1.11
on GitHub

pre-release3 hours ago

Release notes

Security And Release Integrity

  • Dependency verification is much stricter: checksum-only artifacts are gated, verification metadata XML parsing is hardened, source artifacts are covered, and executable protobuf tool classifiers are pinned explicitly for Windows, Linux, macOS Intel, and macOS Apple Silicon.
  • Release signing readiness was hardened with expected signer checks, signing fingerprint enforcement, and release asset coverage checks.
  • Gradle wrapper verification, dependency signature policy checks, an isolated CVE scan tool, and pinned composite-build environments now run through the release/check workflow.
  • GitHub Actions workflows were hardened, archived build actions were replaced, and Apple Silicon macOS CI coverage was added.
  • Update signature verification now checks each key source, and launcher update JAR loading is disabled.

Trading, Accounts, And User Flows

  • Bisq Easy offer amount constraints are enforced.
  • REST take-offer amount handling now uses the quote currency.
  • QR-code text output was added for pairing codes.
  • Contacts wording/style was improved and the contact-list auto-popup was removed.

Notifications, Webcam, And IPC

  • Relay push notifications gained mutable-content support and optional iOS-compatible symmetric encryption.
  • Relay notification encoding was normalized to base64 and migrated to the newer relay API.
  • Confidential message keys are bound to keys in payload if present.
  • Webcam launch and IPC handling are more defensive: webcam JARs are verified before launch, IPC messages are authenticated, failure handling is hardened, and native webcam resources are closed on capture exit.

Runtime, Dependencies, And Packaging

  • The release version is 2.1.11.
  • The Java toolchain is updated to Zulu 21.0.11, with OpenJFX runtime 21.0.11.
  • Core runtime and build dependencies were refreshed, including gRPC, Bouncy Castle, HttpClient5, Logback, Jackson, JNA, Lombok, JUnit, Mockito, I2P, JavaCV, OpenJFX, Jersey, OkHttp, Swagger Core, and other libraries.
  • Tor was updated, macOS aarch64 support was added, embedded Tor process handling was improved, and inherited LD_PRELOAD is cleared for embedded Tor and installer tests.
  • Local Tor helper modules were added for jsocks and jtorctl, replacing external helper usage.
  • Dependency signature reporting and release-readiness docs were expanded.

Note that there is an issue with the download target for Bisq-2.1.11.dmg now that both Intel and Apple Silicon macOS are supported.
To ensure that in-app updates work correctly for Apple Silicon users, we uploaded a copy of Bisq-aarch64-2.1.11.dmg under the filename Bisq-2.1.11.dmg.
As a result, users on Intel-based macOS may currently receive an incompatible version through the in-app download process and will need to download the correct Intel build manually.
We decided to address this issue in the next release rather than delay this security-relevant release.

Installation

macOS

Bisq does not use Apple's notarization process (see why).
For that reason you will see that (misleading) alert:

Grant permissions by:

  • run sudo xattr -rd com.apple.quarantine /Applications/Bisq2.app in a terminal (type Terminal in the Apple search box)
  • open Bisq2 again

More details can be found here.

Windows

For similar reasons you will get that warning at Windows: Windows protected your PC

  • Click the More info button when prompted
  • Click the Run anyway button when prompted

More details can be found here.

Verify download

See the verification and installation instructions in the Bisq Wiki.

Check out latest releases or
releases around bisq-network/bisq2 v2.1.11

Don't miss a new bisq2 release

NewReleases is sending notifications on new releases.

Get notifications