Table of Contents

Preliminaries Downloading the app Verifying the signature

Verifying your BitBoxApp download ensures you have the genuine version that was signed by BitBox. 

Although verifying your downloads is a good security practice, it is not strictly necessary to use your BitBox securely. The BitBox does not trust your host device, including the BitBoxApp, which means that even a malicious app cannot directly access your wallet. Never enter your recovery words on your computer or smartphone.

This guide for Android users is here to help you every step of the way, if you still want to proceed with the manual signature verification. 

If you have a Desktop computer or Laptop at hand, it might be easier to verify the app signature from there, especially if you are already familiar with GPG. This guide is intended for users that only have access to an Android device and/or do not want to trust other devices for signature verification.

 

Preliminaries

We will be using a Terminal emulator to install GPG and verify the app signature, similar to the process on Linux or macOS. For this guide, we are using Termux (F-Droid | Google Play), but you may use other emulation software of your choice.

  1. Install Termux on your Android device and open the app.
     
  2. Next, install GPG by typing in the following command and hitting Enter:

    pkg install gnupg -y

    (For expert users: A download mirror will be selected automatically. If you want to manually configure one, run termux-change-repo).
     
  3. Check the installation was successful by running:

    gpg --version
     
  4. Download and import the BitBox public key using this command:

    curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

    The key fingerprint is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.
     
  5. To use wget for downloading files, install it with:

    pkg install wget -y
     

Great, we are now ready to proceed with the download and signature verification! In the future, you can skip this step. 

Downloading the app

To verify the APK file and its signature directly within Termux, we will download it from inside the app using wget and specifying the download URL. This way, Termux does not need permission to access files from other apps. Check out our GitHub release page or download page on our website to obtain the latest download link from there. 

For the purpose of this guide, we will be using the download link for v4.47.0, but make sure to update it to the latest version.

  1. Download the APK file with:

    wget https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.47.0/BitBox-4.47.0-android.apk
     
  2. And the signature file by adding .asc at the end:

    wget https://github.com/BitBoxSwiss/bitbox-wallet-app/releases/download/v4.47.0/BitBox-4.47.0-android.apk.asc
     
  3. If you run ls, you should now see both files now. 
     

Verifying the signature

Finally, to verify the signature, simply run gpg --verify and specify the .asc signature file, for example in the case of v4.47.0:

gpg --verify BitBox-4.47.0-android.apk.asc

You should now see an output containing “Good signature […]” and information on the signing key, e.g. the fingerprint DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

Note: The warning “This key is not certified with a trusted signature” is normal in this case, and you can safely ignore it. 

 

You can now proceed with the installation of the BitBoxApp. Through the Files explorer, you can navigate to app specific files of Termux and find the already downloaded APK file there. 

Related Articles

Was this article helpful?

Give feedback about this article