Verifying the BitBoxApp's digital signature is an advanced security measure that confirms you have a genuine version signed by BitBox. This process ensures the application has not been tampered with.

While this step is recommended for advanced users, the BitBox02 hardware wallet is designed to be secure even if your computer is compromised. It does not trust the BitBoxApp and will not accept unsigned firmware, protecting your private keys at all times.


Prerequisites

You need GPG (GNU Privacy Guard) installed on your system. For Windows, we recommend downloading and installing Gpg4win

After installation, open Command Prompt and run gpg --version to confirm it was installed correctly.


Step 1: Download the necessary files

Go to the official BitBoxApp releases page on GitHub. Download both the .exe installer file and its corresponding .exe.asc signature file. Make sure both files are saved in the same directory (e.g., your Downloads folder).


Step 2: Open Command Prompt

Open the Command Prompt by typing cmd into the Start Menu search bar. To make things easier, navigate to your downloads folder by typing cd Downloads and pressing Enter.


Step 3: Import the BitBox signing key

In order to verify our signature, you first need to import our corresponding public key, which you can download on our website. The email associated with the key is security@shiftcrypto.ch and the fingerprint of the key is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

To download and import the key into GPG, run this command in the Command Prompt window:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

This will download the key using curl and hand it over to gpg to be imported.


Step 4: Verify the application signature

Now you can verify the installer's authenticity. Run the gpg --verify command followed by the name of the .asc file in quotes.

The filename will change depending on the version. This example is for version 4.47.3:

gpg --verify "BitBox-4.47.3-win64-installer.exe.asc"

Tip: In Windows Explorer, you can right-click the .asc file while holding Shift, select "Copy as path", and then paste it into the Command Prompt.

 

The command output should contain the following two things:

  1. The text gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>".
  2. The primary key fingerprint: DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

If both are present, the signature is valid and the output will look something like this:

You can trust this signature if the key fingerprint matches with DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE, which is also displayed for every release on GitHub.

Note: You will likely see a warning that says, "This key is not certified with a trusted signature." This is expected and simply means you have not explicitly told GPG to trust our key.