Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Windows specific questions, problems.
Post Reply
porkandbeansboy
Newbie
Newbie
Posts: 6
Joined: Wed Nov 29, 2023 7:26 am

Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

I'm hoping someone here can give me a simple and step by step instruction guide that will help me verify the files of my qbittorrent download to make sure I'm not potentially downloading anything nefarious.
porkandbeansboy
Newbie
Newbie
Posts: 6
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Should I be posting this topic in another part of the forum that's more appropriate?
User avatar
Peter
Administrator
Administrator
Posts: 2730
Joined: Wed Jul 07, 2010 6:14 pm

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by Peter »

Ha, this always comes up. I always test it myself, it works for me and it doesn't for the user.
Not sure what to tell ya.

- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"

that's about it.
porkandbeansboy
Newbie
Newbie
Posts: 6
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?


I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!


P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
Last edited by porkandbeansboy on Tue May 28, 2024 2:44 pm, edited 2 times in total.
porkandbeansboy
Newbie
Newbie
Posts: 6
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Well the newest stupid update was just downloaded without my permission and I don't when or how that happened and more disturbing is I didn't conduct any PGP verification or anything so I don't what just happened???
LilTroy
Newbie
Newbie
Posts: 9
Joined: Fri Apr 19, 2024 12:32 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by LilTroy »

porkandbeansboy wrote: Mon May 27, 2024 4:17 am I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?


I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!


P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
  • Download Gpg4win & install it.

    Download the PGP public key used to verify the qBittorrent installer's digital signature.

    Download the detached signature file for the installer you selected (labeled as “PGP Signature”).

    Keep both the qBittorrent installer and its associated sig file in the same directory!

    Open the public key file. This will launch Kleopatra (GPG's key manager) and automatically import it into your keyring.

    Open the sig file. This will check the installer's integrity & authenticity. Click the “Show Audit Log” link. The output should indicate that the signature is good.
Image
Image
Image

If it fails then there was a signature mismatch. Do not run the binary executable!
Image
Image

That's it. No need to play with any checksums or the command-line interface (CLI) thanks to Gpg4win's GUI frontend. ;)
Post Reply