Table of Contents

Before you begin Checksum verification and signature verification What signature verification confirms Verify the signature on Windows Verify the signature on macOS Verify the signature on Linux Verify the signature on Android Check the verification result If signature verification fails FAQ What is the difference between checksum and signature verification? Do I need to verify the signature to use the BitBoxApp? Can I verify the BitBoxApp signature after installing the BitBoxApp? Which file should I verify? Where can I find the signature file? Why does GPG show a trust warning? What should I do if the signature is bad or the fingerprint does not match?

Verify the signature of the BitBoxApp installation file you downloaded before installing or running it. Signature verification confirms that the installation file was signed by Shift Crypto and has not been modified since it was signed.

Signature verification is optional and intended for advanced users who want an additional cryptographic verification before opening the downloaded installation file.

Before you begin

Before you verify the signature, make sure you have the downloaded BitBoxApp installation file, the matching signature file, and GPG installed on your device.

  • Download the BitBoxApp only from the official BitBoxApp download page or from the official BitBoxApp GitHub releases repository.
  • Download the BitBoxApp installation file for your operating system and the matching .asc signature file from the same BitBoxApp release. The installation file can be the Windows installer (.exe), macOS disk image (.dmg), Linux package (.deb or .rpm), AppImage, or Android APK. Throughout this article, these are collectively referred to as the installation file.
  • Save the installation file and the matching .asc signature file in the same folder.
Downloaded installation file

Verify the downloaded installation file, not the installed BitBoxApp or extracted contents. The .asc signature file must match the exact installation file you downloaded.

Checksum verification and signature verification

Checksum verification and signature verification are separate checks.

Checksum verification compares the SHA-256 checksum of your downloaded file with the checksum published by BitBox. It confirms that the downloaded file is bit-for-bit identical to the file published for that release.

Signature verification checks the installation file signature with the official Shift Crypto signing key. It confirms that the installation file was signed by Shift Crypto and was not changed after it was signed.

If you want the strongest manual verification, first verify the downloaded BitBoxApp installation file checksum (SHA-256), then verify the installation file signature with the steps below.

What signature verification confirms

Every BitBoxApp release includes a detached .asc signature file. GPG uses the signature file and the Shift Crypto public signing key to verify the downloaded installation file.

The official signing key uses the following identity and fingerprint:

  • Email: security@shiftcrypto.ch
  • Fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE

Continue only if the fingerprint displayed by GPG exactly matches the official Shift Crypto fingerprint shown above.

Choose your operating system:

Verify the signature on Windows

On Windows, use Gpg4win and Command Prompt to verify the downloaded BitBoxApp installer.

  1. Install Gpg4win.
  2. Open Command Prompt: select Start, type cmd, then press Enter.
  3. Confirm that GPG is installed:
gpg --version
  1. Navigate to the folder where you saved the BitBoxApp installer and the matching .asc file. For example:
cd Downloads
  1. Import the Shift Crypto signing key:
curl -L https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
  1. Verify the signature file. The filename depends on the BitBoxApp version you downloaded:
gpg --verify "BitBox-4.51.0-win64-installer.exe.asc"

You can also hold Shift, right-click the .asc file in File Explorer, select Copy as path, and paste the path into Command Prompt.

Verify the signature on macOS

On macOS, use Terminal and GPG to verify the downloaded BitBoxApp DMG file.

macOS notarization

The BitBoxApp is notarized by Apple. macOS performs its own checks when you open the app for the first time. Manual GPG signature verification is optional and mainly useful if you want an independent cryptographic check.

  1. Open Terminal by pressing Command + Space, typing Terminal, and pressing Enter.
  2. Install GPG. If you use Homebrew, run:
brew install gpg

You can also install GPG with GPG Suite.

  1. Confirm that GPG is installed:
gpg --version
  1. Navigate to the folder where you saved the BitBoxApp DMG file and the matching .asc file. For example:
cd ~/Downloads
  1. Import the Shift Crypto signing key:
curl -L https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
  1. Verify the signature file. The filename depends on the BitBoxApp version you downloaded:
gpg --verify BitBox-4.51.0-macOS.dmg.asc

You can drag and drop the .asc file from Finder into the Terminal window to insert its full path.

Verify the signature on Linux

On Linux, use a terminal and GPG to verify the downloaded BitBoxApp installation file.

  1. Open a terminal. On many Linux desktops, press Ctrl + Alt + T. You can also open your app menu, search for Terminal, and open it from there.
  2. Confirm that GPG is installed:
gpg --version

If GPG is not installed, install it with your distribution's package manager. For example:

sudo apt install gnupg
sudo dnf install gnupg2
  1. Download the BitBoxApp installation file and matching signature file for your Linux distribution:
  • Debian, Ubuntu, or Linux Mint: .deb file and matching .deb.asc file.
  • Fedora: .rpm file and matching .rpm.asc file.
  • Other Linux distributions: .AppImage file and matching .AppImage.asc file.
  1. Navigate to the folder where you saved both files. For example:
cd ~/Downloads
  1. Import the Shift Crypto signing key:
curl -L https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
  1. Verify the signature file. The filename depends on the BitBoxApp version and installation file type you downloaded:
gpg --verify bitbox_4.51.0_amd64.deb.asc

You can press Tab while typing the filename to autocomplete it. Make sure the filename ends with .asc.

Verify the signature on Android

You can verify the BitBoxApp APK on a desktop computer by downloading the APK and matching .apk.asc file, then using the Windows, macOS, or Linux steps above. You can also verify it directly on Android with Termux.

Direct verification on Android is intended for advanced users who are comfortable using a terminal app.

  1. Install Termux from F-Droid.
  2. Open Termux from your Android app drawer.
  3. Install GPG:
pkg install gnupg -y
  1. Install curl:
pkg install curl -y
  1. Import the Shift Crypto signing key:
curl -L https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
  1. Download the APK and matching .apk.asc signature file from the official BitBoxApp GitHub releases page.
  2. Download the APK file in Termux. Replace the URL below with the APK link:
curl -LO https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.51.0/BitBox-4.51.0-android.apk
  1. Download the matching signature file. Replace the URL below with the matching .apk.asc link:
curl -LO https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.51.0/BitBox-4.51.0-android.apk.asc

Verify the signature file:

gpg --verify BitBox-4.51.0-android.apk.asc

Check the verification result

Successful verification should show a Good signature from ShiftCrypto Security and the expected signing-key fingerprint.

The output should include:

gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>"

It should also show this primary key fingerprint:

DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE

If both are present and the fingerprint matches exactly, the signature verification succeeded.

If GPG does not show the full fingerprint in the verification output, run:

gpg --fingerprint security@shiftcrypto.ch

Then verify that the displayed fingerprint exactly matches the official Shift Crypto fingerprint shown above.

Verification successful

If GPG reports a Good signature and the fingerprint matches the official Shift Crypto fingerprint exactly, the downloaded BitBoxApp installation file has been successfully verified.

Expected GPG trust warning

You may see a warning that says the key is not certified with a trusted signature. This is expected unless you have personally marked the key as trusted in your local GPG setup. The important checks are the good signature and the matching fingerprint.

If signature verification fails

Do not open, install, or run the downloaded installation file if GPG reports a bad signature, the fingerprint does not match, or the signature file does not match the installation file.

Download the installation file again

Delete the downloaded installation file and the matching signature file, then download both again from the official BitBoxApp download page or the official BitBoxApp GitHub releases repository.

If signature verification still fails after downloading the files again, contact BitBox Support through the official Support contact form before continuing.

FAQ

What is the difference between checksum and signature verification?

Checksum verification confirms that the downloaded file matches the file published by BitBox. It checks file integrity with a SHA-256 checksum.

Signature verification confirms who signed the installation file. It checks that the installation file was signed with the official Shift Crypto signing key and was not changed after signing.

Do I need to verify the signature to use the BitBoxApp?

No. Signature verification is optional. It is an advanced check for users who want additional confirmation before opening the downloaded BitBoxApp installation file.

Can I verify the BitBoxApp signature after installing the BitBoxApp?

No. Signature verification only confirms the authenticity of the downloaded BitBoxApp installation file. Verify the signature before opening or installing the BitBoxApp.

Which file should I verify?

Verify the downloaded BitBoxApp installation file using its matching .asc signature file. Depending on your operating system, this can be the Windows installer, macOS disk image, Linux package, AppImage, or Android APK.

Do not verify the installed BitBoxApp or extracted contents.

Where can I find the signature file?

You can find BitBoxApp installation files and their matching .asc signature files in the official BitBoxApp GitHub releases repository. Open the release that matches your BitBoxApp version, then expand Assets.

Why does GPG show a trust warning?

GPG may warn that the key is not certified with a trusted signature. This warning is expected when the Shift Crypto signing key has not been explicitly marked as trusted in your local GPG keyring. Continue only if GPG shows a good signature and the fingerprint matches the official Shift Crypto signing-key fingerprint exactly.

What should I do if the signature is bad or the fingerprint does not match?

Do not open, install, or run the file. Delete the downloaded installation file and matching signature file, then download both again from the official BitBoxApp download page or the official BitBoxApp GitHub releases repository. If verification still fails, contact BitBox Support before continuing.

Related Articles

Was this article helpful?

Give feedback about this article