Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
I'm hoping someone here can give me a simple and step by step instruction guide that will help me verify the files of my qbittorrent download to make sure I'm not potentially downloading anything nefarious.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Should I be posting this topic in another part of the forum that's more appropriate?
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Ha, this always comes up. I always test it myself, it works for me and it doesn't for the user.
Not sure what to tell ya.
- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"
that's about it.
Not sure what to tell ya.
- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"
that's about it.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
Last edited by porkandbeansboy on Tue May 28, 2024 2:44 pm, edited 2 times in total.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Well the newest stupid update was just downloaded without my permission and I don't when or how that happened and more disturbing is I didn't conduct any PGP verification or anything so I don't what just happened???
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
porkandbeansboy wrote: ↑Mon May 27, 2024 4:17 am I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?
I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!
P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
- Download Gpg4win & install it.
Download the PGP public key used to verify the qBittorrent installer's digital signature.
Download the detached signature file for the installer you selected (labeled as “PGP Signature”).
Keep both the qBittorrent installer and its associated sig file in the same directory!
Open the public key file. This will launch Kleopatra (GPG's key manager) and automatically import it into your keyring.
Open the sig file. This will check the installer's integrity & authenticity. Click the “Show Audit Log” link. The output should indicate that the signature is good.
If it fails then there was a signature mismatch. Do not run the binary executable!
That's it. No need to play with any checksums or the command-line interface (CLI) thanks to Gpg4win's GUI frontend.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Okay based on what your tutorial I thinK i remembered how to do it after not doing it for a long time.
I imported the signature PGP Key and then I imported it into Kleopatra which I then used to verify that the downloaded installer I got is legit and it said verified in green so I'm assuming it's good especially since I made the SHA256 was correct for where I downloaded it from... if I did not any of these steps incorrectly or skipped a step and I'm giving myself a false sense of security please let me know.
I imported the signature PGP Key and then I imported it into Kleopatra which I then used to verify that the downloaded installer I got is legit and it said verified in green so I'm assuming it's good especially since I made the SHA256 was correct for where I downloaded it from... if I did not any of these steps incorrectly or skipped a step and I'm giving myself a false sense of security please let me know.
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
You don't import the signature file you just download it and check it against the qBittorrent installer. The public key is all you need to import into Kleopatra. The reason you import the key is for future use so the next time you need to check a signature for the qBittorrent installer you won't have to download it again. You'll already have it in your keyring. Follow the exact instructions I gave you. It'll attempt to verify the target file. If even a single bit inside the installer has changed then it'll report "BAD signature" in the audit log viewer window. You can modify the installer yourself to test this. The signature will no longer match the file.porkandbeansboy wrote: ↑Tue Aug 20, 2024 4:01 am Okay based on what your tutorial I thinK i remembered how to do it after not doing it for a long time.
I imported the signature PGP Key and then I imported it into Kleopatra which I then used to verify that the downloaded installer I got is legit and it said verified in green so I'm assuming it's good especially since I made the SHA256 was correct for where I downloaded it from... if I did not any of these steps incorrectly or skipped a step and I'm giving myself a false sense of security please let me know.
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
@porkandbeansboy By checking the digital signature with GPG it ensures both the integrity of the file and its authenticity. You not only know that the installer hasn't changed since it was signed you also know that it came from the intended publisher. If you just check the installer's hash value (SHA256 in this case) it will only tell you that the file hasn't changed since it was released. There are many different ways to check its hash value. Windows already has the functionality built-in. If you open the command prompt (cmd) or a PowerShell you can use the following command to generate the installer's SHA256 hash.
Now simply compare the hash we just generated above with the one listed on the site.
They match. You can also use GPG to verify the checksum/hash but it's easier to do it this way. Perhaps the easiest way is to just upload the installer to VirusTotal. It'll immediately spit out its SHA256 hash and check the file for malware.
Code: Select all
certutil -hashfile <path_to_file> sha256
Now simply compare the hash we just generated above with the one listed on the site.
They match. You can also use GPG to verify the checksum/hash but it's easier to do it this way. Perhaps the easiest way is to just upload the installer to VirusTotal. It'll immediately spit out its SHA256 hash and check the file for malware.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Okay thanks that information does help a little bit.
-
- Newbie
- Posts: 16
- Joined: Wed Nov 29, 2023 7:26 am
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Yeah the huge problem I'm having right now with a new update I got to download is that the signature file I downloaded is showing a SHA256 that is totally different looking at it with powershell compared to what the website is telling me the SHA256 is?
no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
You should write your own BitTorrent client I think. On top of your own operating system and kernel. Only way to be safe. I mean Linus has done it so it should be pretty easy. 1 working day tops. Using an open-source BIOS is also important. But I would not trust the existing ones out there like CoreBoot, LibreBoot. You should write your own, 100%. On top of all that, I recommend using a CPU/platform like OpenRISC might be the safest.porkandbeansboy wrote: ↑Thu Sep 19, 2024 12:01 am...no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
Even if you do that, the glowing people are always watching. Can't be safe unless you airgap yourself from all electronics. Stay safe, brother.
Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.
Haha. This is a classic case of PEBKAC.Peter wrote: ↑Thu Sep 19, 2024 11:04 amYou should write your own BitTorrent client I think. On top of your own operating system and kernel. Only way to be safe. I mean Linus has done it so it should be pretty easy. 1 working day tops. Using an open-source BIOS is also important. But I would not trust the existing ones out there like CoreBoot, LibreBoot. You should write your own, 100%. On top of all that, I recommend using a CPU/platform like OpenRISC might be the safest.porkandbeansboy wrote: ↑Thu Sep 19, 2024 12:01 am...no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
Even if you do that, the glowing people are always watching. Can't be safe unless you airgap yourself from all electronics. Stay safe, brother.
sha256.png