Verifying the BitBoxApp is a straightforward process, ensuring you have the genuine version that was signed by BitBox. This guide is here to help you every step of the way.
Step 1. Download the app and the signature
Download both the app and its corresponding .asc signature from our official releases GitHub page.
- Ubuntu/Mint/Debian users can download the bitbox_4.39.0_amd64.deb package. And the .deb.asc signature.
- Fedora users can download the .rpm package. And the .rpm.asc signature.
You can also use the .AppImage and the .AppImage.asc signature. for any other linux distribution.
Ensure both files are in the same folder.
Step 2. Open a terminal
Opening a terminal depends on your linux distribution and desktop environment. However, most distros offer the option to open a file explorer, right-click within the folder containing the files, and select "Open Terminal" or a similar option.
Step 3. Download and import the public key
To verify the signature, download our public key and import it. Use the following command in your terminal:
curl https://bitbox.swiss/download/shiftcryptosec-509249B068D215AE.gpg.asc | gpg --import
Step 4. Verify the signature
Now, you can verify that the app you downloaded was actually signed by us, by verifying its corresponding signature.
The file name could be different, this is an example for the app version _v.4.39.0_ with the .deb package type in this command, but change the file name according to your version and package:
gpg --verify bitbox_4.39.0_amd64.deb.asc
Tipp: when typing in the command, you can use the tab key to auto complete the name of the signature. It will probably auto complete to just the .deb for example so make sure to add the .asc file extension.
Ensure the fingerprint in the output matches DD09 E413 0975 0EBF AE0D EF63 5092 49B0 68D2 15AE.
If the fingerprint is correct and the output contains gpg: Good signature from "ShiftCrypto Security <email@example.com>" [unknown], the verification succeeded!
You might see a warning about the key not being certified with a trusted signature. This is normal and only indicates that you haven't explicitly configured gpg to trust our public key.