We encourage our users to verify our releases. You can follow the signature verification guides for Linux, MacOS, and Windows to verify the authenticity and integrity of the downloaded file. This not only ensures the integrity of the download, but also ensures the file was created and signed by BitBox. 

Although verifying your downloads is a good security practice, it is not strictly necessary to use your BitBox securely. The BitBox does not trust your host device, including the BitBoxApp, which means that even a malicious app cannot directly access your wallet. Never enter your recovery words on your computer or smartphone.

To simply verify the checksum that's listed on the download page, please follow these steps, depending on your operating system:

Windows

1. Open a Command Prompt (CMD) window. You can do so quickly by hitting Windows + R and entering “cmd”. 
    
2. Enter certutil -hashfile, then drag the downloaded .exe file onto the command prompt window, which will autofill the file path for you. Alternatively, you can manually enter the full or relative file location. Add SHA256 at the end. For example, the full command may look like this:
   
   certutil -hashfile “C:\Users\Satoshi\Downloads\BitBox-4.47.0-win64-installer.exe” SHA256
   
   Note: Do not forget to add SHA256 at the end of the command, otherwise the certutil command will default to a different hashing algorithm, and you would see a different result. 
    
3. You should now see a SHA-256 hash value of the downloaded file. Compare it against the SHA-256 checksum displayed on the BitBox website. It should be an exact match.
    
4. That's it.

MacOS

1. Open a Terminal window. You can find the Terminal application in Launchpad or search for it with Spotlight.
    
2. Enter shasum -a 256, then drag the downloaded .dmg file onto the terminal screen, which will autofill the file path for you. Alternatively, you can manually enter the full or relative file location. For example, the command may look like this:
   
   shasum -a 256 /Users/satoshi/Downloads/BitBox-4.47.0-macOS.dmg
    
3. Press Enter.
    
4. You should now see a SHA-256 hash value of the downloaded file. Compare it against the SHA-256 checksum displayed on the BitBox website. It should be an exact match.
    
5. That's it.

Linux

You can follow the macOS instructions for most Linux distributions. If  shasum -a 256 does not work, try using sha256sum instead.

Android

To be able to verify the checksum directly on your Android device, please install additional software for hash generation and/or verification. Recommended options include:

• DeadHash, F-Droid | Google Play
• Hash Droid, F-Droid | Google Play

Alternatively, you can download and verify the APK file directly on your Desktop computer and follow the above guides accordingly. We also provide signature files of the Android releases on our GitHub page, which we recommend verifying on a Desktop device. 

To continue on your Android device:

1. Open the verification app (e.g. DeadHash or Hash Droid, other apps will offer similar functionality).
    
2. Select SHA-256 as the hashing algorithm, if prompted.
    
3. Select the downloaded BitBox-4.xx.x-android.apk file you just downloaded.
    
4. If the app requires you to enter a checksum value for comparison, copy and paste it from the checksum section on the BitBox website.
    
5. Run the verification. You either get a success message (if you already provided the checksum value) or see the SHA-256 hash directly, which you can compare against the value on the BitBox website.
    
6. That's it.