How to verify the app release on Windows?

Verifying your BitBoxApp download ensures you have the genuine version that was signed by BitBox. While not strictly necessary, it is a good security practise to detect if the file was manipulated while downloading or didn't even originate from BitBox.

The BitBox02 generally does not trust your host device, including the BitBoxApp, and will not accept unsigned firmware versions, which means that even a manipulated BitBoxApp would not be able to access your private keys and steal your coins. Because of this, it is safe to use the BitBoxApp and BitBox02, even without verifying the download first.

This guide for Windows users is here to help you every step of the way, if you still want to proceed with the manual signature verification.

This guide is also available for Linux and MacOS!

Preliminaries

Make sure GPG (GNU Privacy Guard) is installed on your Windows system. You can download and install the Windows version Gpg4win here.

You can verify GPG is installed on your system by running gpg --version in a Command Prompt or PowerShell window (you will either receive an error or the version installed) and proceed with the verification steps below.

Step 1: Download the app and the signature

First you will need to download both the BitBoxApp installer and its corresponding signature file. You can download the .exeinstaller file for the BitBoxApp and the .exe.asc signature file from our official releases page on GitHub.

Download both files and ensure they are in the same folder.

Step 2: Open Command Prompt

For the actual verification we will use the standard Windows Command Prompt (cmd.exe). Open it by searching "cmd" in the search bar or by entering "cmd.exe" after pressing Windows + R. If you like, navigate to the folder containing the downloaded files (e.g. with cd Downloads).

Step 3: Import our Public Key

In order to verify our signature, you first need to import our corresponding public key, which you can download on our website. The email associated with the key is security@shiftcrypto.ch and the fingerprint of the key is DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.

To download and import the key into GPG, run this command in the Command Prompt window:

curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import

This will download the key using curl and hand it over to gpg to be imported.

Step 4: Verifying the signature

Now that you have imported our public key and downloaded both the installer and signature file, you can finally verify that the signature is actually valid, attesting that the BitBoxApp you downloaded came from BitBox.

The file names in the following command will vary depending on the version you downloaded (v4.41.0 in this case). Also make sure you are either in the correct path ("Downloads" directory in this case) or use the full path name instead. To obtain a full path name, simply right click the file in Windows explorer and select "Copy as path".

Verify the signature with the following command, providing the relative or full path to the .exe.asc signature file as an argument:

gpg --verify "BitBox-4.39.0-win64-installer.exe.asc"

Provided the signature is valid, the output will look something like this:

You can trust this signature if the key fingerprint matches with DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE, which is also displayed for every release on GitHub.

Note: You will likely see the warning "This key is not certified with a trusted signature!" here, as shown in the screenshot above. This is to be expected, since your GPG installation just learned about this key and you haven't told it to explicitly trust it. You can therefore ignore this warning.