How to verify the app release on Windows?

Verifying the BitBoxApp is a straightforward process, ensuring you have the genuine version that was signed by BitBox. This guide is here to help you every step of the way.

This guide is also available for Linux and MacOS!

Step 1. Download the app and the signature

First you will need to download both the app and its corresponding signature. You can download the .exe file for the app and the .exe.asc file for the signature from our official releases GitHub page.

Ensure both files are in the same folder.

Step 2. Open a terminal

We will use a terminal to execute commands in the following steps. It is important to open the terminal in the correct location.

  1. Open the file explorer and navigate to the folder containing both files.
  2. Right click in the folder and select Open PowerShell here this will open a new window where you can enter commands.

Step 3. Download and import the public key

To verify the signature you need to download our public key and import it into the program that you will use for the verification later. We use the curl command to download the public key from our website and then use the gpg command to import it into the gpg program that we will use for the verification.

Paste this command into your PowerShell window and press enter:

Step 4. Verify the signature

Now, you can verify that the app you downloaded was actually signed by us, by verifying its corresponding signature.

The file name could be different, this is an example for the app version v.4.39.0 type in this command, but change the file name according to your version:
gpg --verify BitBox-4.39.0-win64-installer.exe.asc

Tipp: when typing in the command, you can use the tab key to auto complete the name of the signature. It will probably auto complete to just the .exe so make sure to add the .asc file extension.

Please make sure the fingerprint in the output matches DD09 E413 0975 0EBF AE0D  EF63 5092 49B0 68D2 15AE it should look something like this:
Primary key fingerprint: DD09 E413 0975 0EBF AE0D  EF63 5092 49B0 68D2 15AE

If the fingerprint is correct and the output contains this, then the verification succeeded!
gpg: Good signature from "ShiftCrypto Security <security@shiftcrypto.ch>" [unknown]

You might see a warning about the key not being certified with a trusted signature. This is normal and only indicates that you haven't explicitly configured gpg to trust our public key.