How to verify the app release on MacOS?

Verifying your BitBoxApp download ensures you have the genuine version that was signed by BitBox. While not strictly necessary, it is a good security practise to detect if the file was manipulated while downloading or didn't even originate from BitBox.

In general, the BitBox02 generally does not trust your host device, including the BitBoxApp, and will not accept unsigned firmware versions, which means that even a manipulated BitBoxApp would not be able to access your private keys and steal your coins. Because of this, it is safe to use the BitBoxApp and BitBox02, even without verifying the download first.

On macOS, our signature is automatically verified when trying to open the app for the first time, as per the macOS notarization guidelines. Because of this, manually verifying the signature is not necessary if you trust that Apple's verification process isn't compromised. You would receive an explicit warning when trying to open the BitBoxApp for the first time, if a manipulation was detected.

Note that the general warning shown below is normal and displayed whenever you open any app downloaded from the internet for the first time. You can safely continue using the BitBoxApp if you see this message:


If you still wish to proceed with the manual verification, see the steps outlined below.

This guide is also available for Windows and Linux!

Preliminaries

Make sure GPG (GNU Privacy Guard) is installed on your Mac. You can download and install a GPG version for macOS here.

Alternatively, if you have the popular package manager Homebrew installed on your Mac, you can easily install GPG with brew install gpg. See information on the Homebrew website for more information on how to install or use Homebrew.

You can verify GPG is installed on your Mac by running gpg --version in a Terminal window (you will either receive an error or the version installed) and proceed with the verification steps below.

Step 1: Download the app and the signature

First you will need to download both the BitBoxApp and its corresponding signature file. You can download the .dmg archive file for the BitBoxApp and the .dmg.asc signature file from our official releases page on GitHub.

Download both files and ensure they are in the same folder.

Step 2: Open the Terminal

Open a new Terminal window. You can quickly access the Terminal through spotlight search (CMD + Space) or by looking for it in Launchpad.

If you like, you can navigate to the folder containing the downloaded files (e.g. with cd Downloads).

Step 3: Import our Public Key

In order to verify our signature, you first need to import our corresponding public key, which you can download on our website. The email associated with the key is security@shiftcrypto.ch and the fingerprint of the key is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

To download and import the key into GPG, run this command in the Terminal window:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

This will download the key using curl and hand it over to gpg to be imported.

Step 4: Verifying the signature

Now that you have imported our public key and downloaded both the .dmg archive and signature file, you can finally verify that the signature is actually valid, attesting that the BitBoxApp you downloaded came from BitBox.

The file names in the following command will vary depending on the version you downloaded (v4.41.0 in this case). Also make sure you are either in the correct path ("Downloads" directory in this case) or use the full path name instead. To instantly insert the correct and full path name, simply drag and drop the signature file on the Terminal window.

Verify the signature with the following command, providing the relative or full path to the .dmg.asc signature file as an argument:

gpg --verify BitBox-4.43.0-macOS.dmg.asc  

Provided the signature is valid, the output will look something like this:

You can trust this signature if the key fingerprint matches with DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE, which is also displayed for every release on GitHub.

Note: You will likely see the warning "This key is not certified with a trusted signature!" here, as shown in the screenshot above. This is to be expected, since your GPG installation just learned about this key and you haven't told it to explicitly trust it.