Verifying the BitBoxApp's digital signature is an advanced security measure that confirms you have a genuine version signed by BitBox. This process ensures the application has not been tampered with.

While this step is recommended for advanced users, the BitBox02 hardware wallet is designed to be secure even if your computer is compromised. It does not trust the BitBoxApp and will not accept unsigned firmware, protecting your private keys at all times.


Prerequisites

Most Linux distributions come with GPG (GNU Privacy Guard) pre-installed. You can check by opening a terminal and running gpg --version. If it's not installed, use your distribution's package manager to install it (e.g., sudo apt install gnupg on Debian/Ubuntu or sudo dnf install gnupg2 on Fedora).


Step 1: Download the necessary files

Navigate to the official BitBoxApp releases page on GitHub. Download both the application file for your system and its corresponding .asc signature file.

  • Debian/Ubuntu/Mint: Download the .deb package and the .deb.asc file.
  • Fedora: Download the .rpm package and the .rpm.asc file.
  • Other distributions: Download the .AppImage file and the .AppImage.asc file.

Make sure both files are saved in the same directory (e.g., your Downloads folder).


Step 2: Open the terminal

Open a terminal window. A common shortcut is to navigate to your Downloads folder in your file explorer, right-click inside the folder, and select an option like "Open in Terminal".


Step 3: Import the BitBox signing key

To verify the signature, you must first import our public key. Run the following command in your terminal:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

Step 4: Verify the application signature

Now you can verify that the app you downloaded was authentically signed by us. In the terminal, run the gpg --verify command followed by the name of the .asc file.

The filename will change depending on the version. This example is for version 4.47.3 and the .deb package:

gpg --verify bitbox_4.47.3_amd64.deb.asc

Tip: As you type the filename, you can press the Tab key to auto-complete it. Ensure the filename ends with .asc.

 

The command output should contain the following two things:

  1. The text gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>".
  2. The primary key fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

If both are present, the signature is valid.

Note: You will likely see a warning that says, "This key is not certified with a trusted signature." This is expected and simply means you have not explicitly told GPG to trust our key.