Bisq: Bisq requesting permissions for keystrokes on all apps [osx catalina]

When I first started bisq after upgrading to catalina, i got the following (disturbing) message:

Bisq would like to receive keystrokes from any application.

I hope this is just a bug, not a keylogger of some kind

Repro:
Install bisq on OSX 10.15, run it. Shows permission request

Expected:
There is no reason bisq would need this permission I can see, so the permission shouldnt be requested

No I don't know why Bisq would need this functionality. I guess this is something that needs to be configured for macOS 10.15 in the javapackager. Thanks for bringing this up! Would be great if someone picks up this issue and does further investigation how to prevent this unnecessary permission request.

Theres not much online (i looked) and im not a java person, but this project also had the same issue:
https://github.com/wesnoth/wesnoth/issues/4109

Theres also this bug in open JDK (not sure if you're using that or regular java) https://bugs.openjdk.java.net/browse/JDK-8231513

Now also this in SO
https://stackoverflow.com/questions/58094615/javafx-tornadofx-cause-keystroke-receiving-prompt-on-macos-10-15-catalina (upvoted)

When i searched it 20 mins ago there was less than 10 results now theres quite a few, im guessing its in a lib you are using.

This says the OpenJDK 11.0.4+11 packager will support hardening by default (which is a new catalina requirement) however I suspect it isn't the root cause of this. I think somewhere something is making a call to the wrong API, however updating the jdk version you use might correct this (looks like you are on 10 at the moment but there are some reasons you didnt upgrade yet from dev notes)
https://medium.com/adoptopenjdk/bundling-adoptopenjdk-into-a-notarized-macos-application-f4d69404afc

Yes, I hope there is a way to fix this without upgrading Java version as we are stuck at 10 because of the lack of javapacker support in newer versions. OpenJDK is working on it, but haven't finished it yet.

At the risk of piling on, this was very jarring for me to see, as I just installed and launched for the first time. I was about to submit the same issue when I found this one. Blocking the permission request is trivial, but I'd suggest that the reputational damage among non-technical users will be heavy.

At the risk of piling on, this was very jarring for me to see, as I just installed and launched for the first time. I was about to submit the same issue when I found this one. Blocking the permission request is trivial, but I'd suggest that the reputational damage among non-technical users will be heavy.

Yes this is something I'll focus now, as the big v1.2 release with all its aftermath is finally over.

If it is the event tapping implementation of JavaFX we hopefully could get away with only updating the JavaFX libraries and not with the requirement to update to Java 11+

I was about to submit the same issue when I found this one: I confirm that such a message scares enough, LOL!

It is fixed but not released already in openjfx14, but that requires at least JDK 11+. We were stuck until recently to JDK 10 because of the lack of JavaPackager, but it seems that there is progress made https://bugs.openjdk.java.net/browse/JDK-8200758 as well.

That's really intimidating.
I've stopped and deleted it.

This is unacceptable

@ripcurlx Any update regarding JavaPackager?

Sorry I got irritated. A currency trading app should most definitely not give any impression that it's trying to steal all your secrets. I understand it's not the developers fault, but I've removed the app. Even though I declined permission for logging all my keystrokes(!), it still installed itself as an option in the privacy and security options, on osx, unchecked but still. Good luck, again sorry to have initially been rude.

@Brainfrazzle Its an OSX/Java issue, see discussion above.

So there is a workaround. Post-install you can remove the permission in your system settings. It doesn't actually use the permission, so it won't break the app.

@jobrienski Can you explain more in details (I don't have that OSX version installed).
@ripcurlx Maybe we can apply some workaround until the javapackager is available?

You go to "settings>security&privacy>Input Monitoring" and uncheck Bisq.app.

Added a PR to address the issue: https://github.com/bisq-network/bisq/pull/4464