As probable fire put it: "BitSigner is an open-source and offline multi-sig signing Javascript application based off of the popular Coinb.in"
So I am quite fluent in Javascript and bitcoin so I thought I would go through BitSigner's code to look for vulnerabilities and/or backdoors of any kind. Here is what I found:
There weren't many things I found to look fishy so I'll list those first.
On line 3 of coinbin.js it checks for an internet connection but probable fire says it is only there to warn users if they are connected and it looks like he is telling the truth
It reloads the page on line 194 but probable fire says it is only there to purge javascript variables which makes sense
There were some references to a few clearnet things including a google api on line 182 of coinbin.js but I think that is just some leftover code from the original coinbin. (I couldn't find any other references to google in any of the code)
Is it safe? From what I can see yes, it is safe. That is as long as you download it over https. If you don't trust https you can also use md5sum to validate it. (probable fire has a pgp signed message with the md5sums on the release page) But if you use it offline there is 0 chance you can be de-anonymized even if it is a fake version. Also there were not backdoors of any kind that I could see. This includes autoupdating. (there is none)
When I contacted the admins (probable fire) about auditing the app he gave me some test multisig transactions and I have to say it makes the vendor's job a whole lot easier. I was able to verify and sign 10 transactions in only a couple min.
Disclaimer: I am not a professional auditer. Someone else should probably audit this app too because I might have missed something.
/. im going to say having users use an offline tool supplied by the market is setting the bar higher than multisig already puts it, no less in a language that in infamous for fucking over the anonymity of Tor users. their multisig is going to have to work with already trusted tools, so electrum. or a plugin for electrum, like how tmp did it. the user shulginscat just made one for BB's multisig, maybe it will work for this site too?
https://www.reddit.com/r/DarkNetMarkets/comments/318fo3/announcement_blackbank_multisig_plugin_for/