Verifying the BitBoxApp’s digital signature is an advanced security measure that confirms the software was signed by Shift Crypto (BitBox) and has not been modified since it was signed.

The general warning shown below is normal and appears for many apps downloaded from the internet the first time. If you downloaded the BitBoxApp from an official source, you can safely continue when you see this message.

 

Prerequisites

You need GPG (GNU Privacy Guard) installed.

• Homebrew (recommended): If you have Homebrew, open Terminal and run:
  brew install gpg
• Direct download: Alternatively, download and install GPG Suite from gpgtools.org.

To confirm installation, run this in Terminal:
gpg --version

Step 1: Download the necessary files

Go to the official BitBoxApp releases page on GitHub.

Download both:

• the .dmg application file, and
• the matching .dmg.asc signature file

Save both to the same folder (for example: Downloads).

Step 2: Open the Terminal

Open Terminal via Spotlight Search (CMD + Space) or from Applications.

(Optional) Navigate to your download folder: cd ~/Downloads

Step 3: Import the BitBox signing key

To verify our signature, you need our public signing key. You can download it on our website.

Key details:

• Email: security@shiftcrypto.ch
• Fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE

Download and import the key with:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

(Recommended) Confirm the imported key fingerprint

Run:

gpg --fingerprint security@shiftcrypto.ch

Make sure the fingerprint shown matches:
DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE

Step 4: Verify the application signature

Run gpg --verify on the .dmg.asc file (the filename will depend on the version you downloaded). Example:

gpg --verify BitBox-4.47.3-macOS.dmg.asc

The output should include:

1. gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>"
2. The primary key fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE

If both are present and the fingerprint matches, the signature verification succeeded.

FAQ

What is the difference between verifying the app signature and verifying the download itself?

They answer two different security questions, and you can use either—or both—for extra assurance:

• Verifying the download (checksum / SHA-256) checks file integrity:
  It confirms the file you downloaded is bit-for-bit identical to the one published by Shift Crypto. This protects against corruption or tampering during download.
• Verifying the app signature (this guide) checks publisher authenticity:
  It confirms the app package was cryptographically signed by Shift Crypto’s signing key and wasn’t modified after signing.

Best practice for maximum assurance:

1. Verify the checksum (download integrity), then
2. Verify the signature (publisher authenticity)

To verify the checksum (SHA-256), follow:
How to verify the BitBoxApp checksum (SHA-256) 

Do I need to do this to use the BitBoxApp safely on macOS?

Usually not. On macOS, the BitBoxApp is notarized by Apple and macOS performs signature checks automatically when opening the app. Manual verification is mainly for advanced users who want an independent verification step.

What if GPG says “BAD signature” or the fingerprint doesn’t match?

Do not open or install the file. Delete the downloaded files and download them again from the official source. If the problem persists, contact our support team and include:

• the BitBoxApp version you downloaded
• the exact gpg --verify output
• where you downloaded the files from (link/source)

Why do I see “This key is not certified with a trusted signature”?

That warning is expected unless you personally trust/sign the key in your local GPG setup. The important part is that you see a Good signature and that the fingerprint matches the one listed above.