Yup, it's true. Bunker has to be able to decrypt the key in order to sign with it. The user provides a password that is used to encrypt at rest but when the key is needed for signing the Bunker has to decrypt it (with the password you provide). The key is used and then re-encrypted. This is why it's important that the code for something like Nsecbunker is open and (ideally) it would be verifiable that a bunker service is running the exact same code so you know they haven't done anything fishy.