Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
-
porkandbeansboy
- Newbie
- Posts: 6
- Joined: Wed Nov 29, 2023 7:26 am
Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
I'm hoping someone here can give me a simple and step by step instruction guide that will help me verify the files of my qbittorrent download to make sure I'm not potentially downloading anything nefarious.
-
porkandbeansboy
- Newbie
- Posts: 6
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Should I be posting this topic in another part of the forum that's more appropriate?
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Ha, this always comes up. I always test it myself, it works for me and it doesn't for the user.
Not sure what to tell ya.
- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"
that's about it.
Not sure what to tell ya.
- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"
that's about it.
-
porkandbeansboy
- Newbie
- Posts: 6
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
Last edited by porkandbeansboy on Tue May 28, 2024 2:44 pm, edited 2 times in total.
-
porkandbeansboy
- Newbie
- Posts: 6
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Well the newest stupid update was just downloaded without my permission and I don't when or how that happened and more disturbing is I didn't conduct any PGP verification or anything so I don't what just happened???
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
porkandbeansboy wrote: ↑Mon May 27, 2024 4:17 am I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
- Download Gpg4win & install it.
Download the PGP public key used to verify the qBittorrent installer's digital signature.
Download the detached signature file for the installer you selected (labeled as “PGP Signature”).
Keep both the qBittorrent installer and its associated sig file in the same directory!
Open the public key file. This will launch Kleopatra (GPG's key manager) and automatically import it into your keyring.
Open the sig file. This will check the installer's integrity & authenticity. Click the “Show Audit Log” link. The output should indicate that the signature is good.
If it fails then there was a signature mismatch. Do not run the binary executable!
That's it. No need to play with any checksums or the command-line interface (CLI) thanks to Gpg4win's GUI frontend.
