Verifying the BitBoxApp's digital signature is an advanced security measure that confirms its authenticity.

On macOS, our app is notarized by Apple. This means macOS automatically verifies the signature when you first open the BitBoxApp. If the app were tampered with, macOS would display an explicit warning. For this reason, manual verification is generally not necessary unless you wish to perform an independent check.

Note that the general warning shown below is normal and displayed whenever you open any app downloaded from the internet for the first time. You can safely continue using the BitBoxApp if you see this message:

 

Prerequisites

You need GPG (GNU Privacy Guard) installed.

  • Homebrew: If you have Homebrew, open the Terminal and run brew install gpg.
  • Direct Download: Alternatvively, download and install GPG Suite from: https://gpgtools.org/ 

To confirm the installation, run gpg --version in a Terminal window.


Step 1: Download the necessary files

Go to the official BitBoxApp releases page on GitHub. Download both the .dmg application file and its corresponding .dmg.asc signature file. Save both to the same folder (e.g., Downloads).


Step 2: Open the Terminal

You can find the Terminal app via Spotlight Search (CMD + Space) or in your Applications folder. For convenience, navigate to the folder containing your downloaded files using the cd command (e.g., cd Downloads).


Step 3: Import the BitBox signing key

In order to verify our signature, you first need to import our corresponding public key, which you can download on our website. The email associated with the key is security@shiftcrypto.ch and the fingerprint of the key is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

To download and import the key into GPG, run this command in the Terminal window:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

This will download the key using curl and hand it over to gpg to be imported.


Step 4: Verify the application signature

Now, run the gpg --verify command, providing the path to the .dmg.asc file. The filename will change depending on the version downloaded.

gpg --verify BitBox-4.47.3-macOS.dmg.asc

Tip: You can drag and drop the .asc file from your Finder window directly onto the Terminal window to automatically paste its full path.

 

The command output should contain the following two things:

  1. The text gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>".
  2. The primary key fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

Provided the signature is valid, the output will look something like this:

You can trust this signature if the key fingerprint matches with DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE, which is also displayed for every release on GitHub.

Note: You will likely see a warning that says, "This key is not certified with a trusted signature." This is expected and simply means you have not explicitly told GPG to trust our key.