Verifying the BitBoxApp's digital signature is an advanced security measure that confirms you have a genuine version signed by BitBox. This process ensures the application has not been tampered with.
While this step is recommended for advanced users, the BitBox02 hardware wallet is designed to be secure even if your computer is compromised. It does not trust the BitBoxApp and will not accept unsigned firmware, protecting your private keys at all times.
Prerequisites
You need GPG (GNU Privacy Guard) installed on your system. For Windows, we recommend downloading and installing Gpg4win.
After installation, open Command Prompt and run gpg --version
to confirm it was installed correctly.
Step 1: Download the necessary files
Go to the official BitBoxApp releases page on GitHub. Download both the .exe
installer file and its corresponding .exe.asc
signature file. Make sure both files are saved in the same directory (e.g., your Downloads
folder).
Step 2: Open Command Prompt
Open the Command Prompt by typing cmd
into the Start Menu search bar. To make things easier, navigate to your downloads folder by typing cd Downloads
and pressing Enter.
Step 3: Import the BitBox signing key
In order to verify our signature, you first need to import our corresponding public key, which you can download on our website. The email associated with the key is security@shiftcrypto.ch and the fingerprint of the key is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE
.
To download and import the key into GPG, run this command in the Command Prompt window:
curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
This will download the key using curl
and hand it over to gpg
to be imported.
Step 4: Verify the application signature
Now you can verify the installer's authenticity. Run the gpg --verify
command followed by the name of the .asc
file in quotes.
The filename will change depending on the version. This example is for version 4.47.3:
gpg --verify "BitBox-4.47.3-win64-installer.exe.asc"
Tip: In Windows Explorer, you can right-click the .asc
file while holding Shift
, select "Copy as path", and then paste it into the Command Prompt.
The command output should contain the following two things:
- The text
gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>"
. - The primary key fingerprint:
DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE
.
If both are present, the signature is valid and the output will look something like this:
You can trust this signature if the key fingerprint matches with DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE
, which is also displayed for every release on GitHub.
Note: You will likely see a warning that says, "This key is not certified with a trusted signature." This is expected and simply means you have not explicitly told GPG to trust our key.