Table of Contents

Prerequisites How to check the checksum Windows macOS Linux Android FAQ What is the difference between a checksum and an app signature? Do I need to verify the checksum to use the BitBoxApp safely? Which file should I verify? What should I do if the checksum does not match?

Verifying the BitBoxApp checksum ensures that the file you downloaded is authentic and has not been modified in transit. This guide explains how to check the SHA-256 checksum on Windows, macOS, Linux, and Android.

While checksum verification is recommended, your BitBox02 remains secure even if the computer is compromised, as it never trusts the app. For maximum security, never enter your recovery words on a computer—only on the BitBox02 itself.

Prerequisites

Before starting, make sure you have:

  • Downloaded the latest version of the BitBoxApp from the official website:
    https://bitbox.swiss/download/ 
  • Opened the download page and clicked Show checksums (below the download button) to view the official SHA-256 checksums.
  • Saved the installer file locally on your device.

How to check the checksum

Below are platform-specific instructions. The goal is always the same:
Compare the locally generated SHA-256 hash with the checksum shown on the BitBox website.

Windows

  1. Open the Command Prompt (press Windows + R, type cmd, and press Enter).
  2. Enter the following command and then type a space:
    certutil -hashfile
  3. Drag and drop the downloaded .exe installer file into the Command Prompt window.
  4. Add a space, then type SHA256, for example:
    certutil -hashfile "C:\Users\YourName\Downloads\BitBox-installer.exe" SHA256
  5. Press Enter and compare the output with the checksum shown on the BitBox website.

Note: You must explicitly specify SHA256. Otherwise, Windows will use a different algorithm and the checksum will not match.

 

macOS

  1. Open the Terminal app (via Launchpad or Spotlight).
  2. Type the following command (with a space at the end):
    shasum -a 256
  3. Drag and drop the downloaded .dmg file into the Terminal window, or enter the path manually. Example:
    shasum -a 256 /Users/satoshi/Downloads/BitBox-4.47.0-macOS.dmg
  4. Press Enter and compare the result with the checksum shown on the BitBox website.

Important:
On macOS, verify the downloaded .dmg file, not the application inside it.

 

Note:
macOS already verifies the app’s signature during installation and will warn you if something is wrong. If you trust this built-in mechanism, manual checksum verification is optional.

 

Linux

On most Linux distributions, checksum verification works the same way.

  1. Open a terminal.
  2. Run one of the following commands (depending on your distribution), followed by the path to the downloaded file:
    sha256sum BitBox-[version]-x86_64.AppImage
    or
    shasum -a 256 BitBox-[version]-x86_64.AppImage
  3. Compare the output with the checksum listed on the BitBox download page.

This step confirms that the AppImage was downloaded correctly and has not been modified.

Android

You can verify the BitBoxApp APK either on a desktop computer (using the steps above) or directly on your Android device using a hash verification app.

Recommended apps:

Steps on Android:

  1. Open the verification app.
  2. Select SHA-256 as the algorithm.
  3. Choose the downloaded BitBox-4.xx.x-android.apk file.
  4. Compare the generated checksum with the official value on the BitBox website.

If the app requires manual input, copy the checksum directly from the download page.

We also provide signature files for Android releases on GitHub, which are best verified on a desktop device.

FAQ

What is the difference between a checksum and an app signature?

A checksum (SHA-256) verifies that the downloaded file is bit-for-bit identical to the file published on the BitBox website. It protects against accidental corruption or tampering during download.

An app signature, on the other hand, verifies who signed the software. It confirms that the application was cryptographically signed by BitBox and not by a third party. App signature verification uses tools such as GPG (GNU Privacy Guard) and checks a different cryptographic fingerprint than the SHA-256 checksum.

Both methods are complementary:

  • Checksum → verifies file integrity
  • Signature → verifies publisher authenticity

For detailed, step-by-step instructions on signature verification, see: Verify app signature 

Do I need to verify the checksum to use the BitBoxApp safely?

Checksum verification is recommended but not mandatory. Even if a compromised app were used, the BitBox02 hardware wallet does not trust the computer and will not expose your recovery words or private keys.

Which file should I verify?

Always verify the installer or AppImage file you downloaded, not the installed application or extracted contents.

What should I do if the checksum does not match?

Do not run the file. Delete it and download the BitBoxApp again from the official website. If the issue persists, contact BitBox support before proceeding.

Related Articles

Was this article helpful?

Give feedback about this article