Verifying the BitBoxApp checksum ensures that the file you downloaded is authentic and has not been modified during download.
This guide walks you through how to check the SHA-256 checksum on Windows, macOS, Linux, and Android — even if you have never used a terminal or command line before.
Checksum verification is recommended, but not required. Your BitBox02 remains secure even if your computer is compromised, as it never trusts the app.
For maximum security, never enter your recovery words on a computer — only on the BitBox02 itself.
Prerequisites
Before starting, make sure you have:
- Downloaded the latest version of the BitBoxApp from the official website:
https://bitbox.swiss/download/ - Opened the download page and clicked Show checksums (below the download button) to view the official SHA-256 checksums.
- Saved the installer file locally on your device.
How to check the checksum
In all cases, you follow the same simple process:
- First, run a command
- Then, add your downloaded file to it
You do not need to modify or replace any part of the command.
Examples are only there to show how it should look.
Below are platform-specific instructions.
Goal: Compare the SHA-256 hash generated on your device with the checksum shown on the BitBox website.
Windows
- Open the Command Prompt
- Press Windows + R, type
cmd, and press Enter
- Press Windows + R, type
- Type the following command and then add a space:
certutil -hashfile - Now add the file path of your downloaded file
- You can do this in two ways:
-
Drag & drop: Drag the downloaded
.exefile into the Command Prompt window - Copy & paste: Copy the full file path and paste it after the command
-
Drag & drop: Drag the downloaded
- You can do this in two ways:
- Add a space, then type:
SHA256➡️ Example (for illustration only):
certutil -hashfile "C:\Users\YourName\Downloads\BitBox-installer.exe" SHA256- Press Enter.
- Compare the displayed hash with the checksum shown on the BitBox website.
Note
- You must explicitly type
SHA256 - Otherwise, Windows will use a different algorithm and the checksum will not match
macOS
- Open the Terminal
- Use Spotlight (⌘ + Space) and search for “Terminal”
- Type the following command and then add a space:
shasum -a 256 - Now add the file path of your downloaded file
-
Drag & drop: Drag the
.dmgfile into the Terminal window - Copy & paste: Copy the full file path and paste it after the command
-
Drag & drop: Drag the
➡️ Example (for illustration only):
shasum -a 256 /Users/satoshi/Downloads/BitBox-4.47.0-macOS.dmg- Press Enter.
- Compare the displayed hash with the checksum shown on the BitBox website.
Important
- Verify the downloaded
.dmgfile - Do not verify the app inside it
Note
- macOS already checks the app’s signature during installation
- If you trust this built-in protection, manual checksum verification is optional
Linux
On most Linux distributions, checksum verification works the same way.
- Open a terminal.
- Type the following command and then add a space:
sha256sum - Now add the file path of your downloaded file.
- You can do this in two ways:
- Drag & drop: Drag the file into the terminal window
- Copy & paste: Copy the full file path and paste it after the command
- You can do this in two ways:
➡️ Example (for illustration only):
sha256sum /home/user/Downloads/BitBox-4.47.0-x86_64.AppImage- Press Enter.
- Compare the displayed hash with the checksum shown on the BitBox website.
Note
- You do not need to manually edit or insert a version number
- Simply use the file you downloaded
Alternative (if sha256sum is not available)
shasum -a 256 Then add the file path in the same way as described above.
Android
You can verify the BitBoxApp APK either on a desktop computer (using the steps above) or directly on your Android device using a hash verification app.
Recommended apps:
-
DeadHash
F-Droid | Google Play -
Hash Droid
F-Droid | Google Play
Steps on Android:
- Open the verification app.
- Select SHA-256 as the algorithm.
- Choose the downloaded
BitBox-4.xx.x-android.apkfile. - Compare the generated checksum with the official value on the BitBox website.
If the app requires manual input, copy the checksum directly from the download page.
We also provide signature files for Android releases on GitHub, which are best verified on a desktop device.
FAQ
What is the difference between a checksum and an app signature?
A checksum (SHA-256) verifies that the downloaded file is bit-for-bit identical to the file published on the BitBox website. It protects against accidental corruption or tampering during download.
An app signature, on the other hand, verifies who signed the software. It confirms that the application was cryptographically signed by BitBox and not by a third party. App signature verification uses tools such as GPG (GNU Privacy Guard) and checks a different cryptographic fingerprint than the SHA-256 checksum.
Both methods are complementary:
- Checksum → verifies file integrity
- Signature → verifies publisher authenticity
For detailed, step-by-step instructions on signature verification, see: Verify app signature
Do I need to verify the checksum to use the BitBoxApp safely?
Checksum verification is recommended but not mandatory. Even if a compromised app were used, the BitBox02 hardware wallet does not trust the computer and will not expose your recovery words or private keys.
Which file should I verify?
Always verify the installer or AppImage file you downloaded, not the installed application or extracted contents.
What should I do if the checksum does not match?
Do not run the file. Delete it and download the BitBoxApp again from the official website. If the issue persists, contact BitBox support before proceeding.