Verifying the BitBoxApp is a straightforward process, ensuring you have
the genuine version that was signed by BitBox. This guide is here to
help you every step of the way.
Step 1. Download the app and the signature
First, download both the app and its corresponding signature. You can download the .zip file for the app and the .zip.asc file for the signature from our official releases GitHub page. In case you are using the Safari browser you might need to deactivate the auto-decompress zip files feature in your browser settings.
Ensure both files are in the same folder.
Step 2. Open a terminal
- Navigate to the folder containing both files.
- Click on the Finder drop-down in your top menu bar.
- Select Services -> New Terminal at Folder. This will launch a new terminal for you.
Step 3. Download and import the public key
To verify the signature, download our public key and import it. Use the following commands in your terminal:
curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
Step 4. Verify the signature
Now, verify that the app you downloaded was actually signed by us, by verifying its corresponding signature. Adjust the file name according to your version:
gpg --verify BitBox-4.39.0-macos.zip.asc
Ensure the fingerprint in the output matches DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.
If the fingerprint is correct and the output contains gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>" [unknown], the verification succeeded!
You might see a warning about the key not being certified with a trusted signature. This is normal and only indicates that you haven't explicitly configured gpg to trust our public key.