Verifying the BitBoxApp APK signature is an advanced security practice to ensure the file you downloaded is authentic and unaltered. This guide is for users who want to perform the verification directly on their Android device.

If you have a desktop computer, it may be easier to perform the verification there by downloading the .apk and .apk.asc files and following our Linux guide.

 

Prerequisites: Set up Termux and GPG

We will use the Termux terminal emulator to run the verification commands.

  1. Install Termux: Get Termux from F-Droid or Google Play and open the app.
  2. Install GPG: In the Termux terminal, type the following command and press Enter.
pkg install gnupg -y
  1. Install wget: This tool helps download files.
pkg install wget -y
  1. Import the BitBox Signing Key: Run this command to download and import our public key.
curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
  1. The key fingerprint is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

Your environment is now ready. You will not have to repeat these prerequisite steps in the future.


Step 1: Download the app and signature

  1. We will download the files directly within Termux. First, get the latest download link from our GitHub release page.
  2. Replace the URL in the commands below with the latest version link. This example uses version 4.47.0.
  3. Download the APK file:
wget https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.47.0/BitBox-4.47.0-android.apk
  1. Download the signature file:
wget https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.47.0/BitBox-4.47.0-android.apk.asc
  1. Run ls to confirm both files are in the directory.

Step 2: Verify the application signature

Finally, run the gpg --verify command with the name of the .asc signature file.

gpg --verify BitBox-4.47.0-android.apk.asc

The command output should contain the following two things:

  1. The text gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>".
  2. The primary key fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

If both are present, the signature is valid. You can now locate the APK file in your device's file explorer (look for the Termux folder) and proceed with the installation.

Note: The warning “This key is not certified with a trusted signature” is normal and can be safely ignored.