Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Windows specific questions, problems.
Post Reply
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

I'm hoping someone here can give me a simple and step by step instruction guide that will help me verify the files of my qbittorrent download to make sure I'm not potentially downloading anything nefarious.
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Should I be posting this topic in another part of the forum that's more appropriate?
User avatar
Peter
Administrator
Administrator
Posts: 2827
Joined: Wed Jul 07, 2010 6:14 pm

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by Peter »

Ha, this always comes up. I always test it myself, it works for me and it doesn't for the user.
Not sure what to tell ya.

- get the sig from website
- import sig with gpg
- grab the installer you'd like
- grab the signature for the installer
- check gpg --verify
- it's OK, "Good signature"

that's about it.
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?


I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!


P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
Last edited by porkandbeansboy on Tue May 28, 2024 2:44 pm, edited 2 times in total.
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Well the newest stupid update was just downloaded without my permission and I don't when or how that happened and more disturbing is I didn't conduct any PGP verification or anything so I don't what just happened???
LilTroy
Member
Member
Posts: 51
Joined: Fri Apr 19, 2024 12:32 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by LilTroy »

porkandbeansboy wrote: Mon May 27, 2024 4:17 am I was hoping that there might be an official Qbittorrent Guide that is slightly more detailed than that?


I can't remember where to find the SHA256 in the files I've downloaded to compare it to the provided hash files or whatever.... again I'm new to this all!


P.S. I just figured it out I was checking the downloaded Qbittorrent file itself instead of the signature file lol.
  • Download Gpg4win & install it.

    Download the PGP public key used to verify the qBittorrent installer's digital signature.

    Download the detached signature file for the installer you selected (labeled as “PGP Signature”).

    Keep both the qBittorrent installer and its associated sig file in the same directory!

    Open the public key file. This will launch Kleopatra (GPG's key manager) and automatically import it into your keyring.

    Open the sig file. This will check the installer's integrity & authenticity. Click the “Show Audit Log” link. The output should indicate that the signature is good.
Image
Image
Image

If it fails then there was a signature mismatch. Do not run the binary executable!
Image
Image

That's it. No need to play with any checksums or the command-line interface (CLI) thanks to Gpg4win's GUI frontend. ;)
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Okay based on what your tutorial I thinK i remembered how to do it after not doing it for a long time.


I imported the signature PGP Key and then I imported it into Kleopatra which I then used to verify that the downloaded installer I got is legit and it said verified in green so I'm assuming it's good especially since I made the SHA256 was correct for where I downloaded it from... if I did not any of these steps incorrectly or skipped a step and I'm giving myself a false sense of security please let me know.
LilTroy
Member
Member
Posts: 51
Joined: Fri Apr 19, 2024 12:32 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by LilTroy »

porkandbeansboy wrote: Tue Aug 20, 2024 4:01 am Okay based on what your tutorial I thinK i remembered how to do it after not doing it for a long time.


I imported the signature PGP Key and then I imported it into Kleopatra which I then used to verify that the downloaded installer I got is legit and it said verified in green so I'm assuming it's good especially since I made the SHA256 was correct for where I downloaded it from... if I did not any of these steps incorrectly or skipped a step and I'm giving myself a false sense of security please let me know.
You don't import the signature file you just download it and check it against the qBittorrent installer. The public key is all you need to import into Kleopatra. The reason you import the key is for future use so the next time you need to check a signature for the qBittorrent installer you won't have to download it again. You'll already have it in your keyring. Follow the exact instructions I gave you. It'll attempt to verify the target file. If even a single bit inside the installer has changed then it'll report "BAD signature" in the audit log viewer window. You can modify the installer yourself to test this. The signature will no longer match the file.
LilTroy
Member
Member
Posts: 51
Joined: Fri Apr 19, 2024 12:32 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by LilTroy »

@porkandbeansboy By checking the digital signature with GPG it ensures both the integrity of the file and its authenticity. You not only know that the installer hasn't changed since it was signed you also know that it came from the intended publisher. If you just check the installer's hash value (SHA256 in this case) it will only tell you that the file hasn't changed since it was released. There are many different ways to check its hash value. Windows already has the functionality built-in. If you open the command prompt (cmd) or a PowerShell you can use the following command to generate the installer's SHA256 hash.

Code: Select all

certutil -hashfile <path_to_file> sha256
Image

Now simply compare the hash we just generated above with the one listed on the site.
Image

They match. You can also use GPG to verify the checksum/hash but it's easier to do it this way. Perhaps the easiest way is to just upload the installer to VirusTotal. It'll immediately spit out its SHA256 hash and check the file for malware.
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Okay thanks that information does help a little bit.
porkandbeansboy
Newbie
Newbie
Posts: 16
Joined: Wed Nov 29, 2023 7:26 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by porkandbeansboy »

Yeah the huge problem I'm having right now with a new update I got to download is that the signature file I downloaded is showing a SHA256 that is totally different looking at it with powershell compared to what the website is telling me the SHA256 is?


no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
User avatar
Peter
Administrator
Administrator
Posts: 2827
Joined: Wed Jul 07, 2010 6:14 pm

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by Peter »

porkandbeansboy wrote: Thu Sep 19, 2024 12:01 am...no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
You should write your own BitTorrent client I think. On top of your own operating system and kernel. Only way to be safe. I mean Linus has done it so it should be pretty easy. 1 working day tops. Using an open-source BIOS is also important. But I would not trust the existing ones out there like CoreBoot, LibreBoot. You should write your own, 100%. On top of all that, I recommend using a CPU/platform like OpenRISC might be the safest.

Even if you do that, the glowing people are always watching. Can't be safe unless you airgap yourself from all electronics. Stay safe, brother.
sha256.png
sha256.png (103.72 KiB) Viewed 676 times
LilTroy
Member
Member
Posts: 51
Joined: Fri Apr 19, 2024 12:32 am

Re: Verifying PGP Signature to be 100% positive I'm downloading what I intend to.

Post by LilTroy »

Peter wrote: Thu Sep 19, 2024 11:04 am
porkandbeansboy wrote: Thu Sep 19, 2024 12:01 am...no more updates for this sketchy client anymore and since qbittorrent makes it nearly impossible to do that among other basic functionality I will not be using it anymore unfortunately and that sucks cuz windows has shit all alternatives so I'm probably going Linux if I have to deal with this.
You should write your own BitTorrent client I think. On top of your own operating system and kernel. Only way to be safe. I mean Linus has done it so it should be pretty easy. 1 working day tops. Using an open-source BIOS is also important. But I would not trust the existing ones out there like CoreBoot, LibreBoot. You should write your own, 100%. On top of all that, I recommend using a CPU/platform like OpenRISC might be the safest.

Even if you do that, the glowing people are always watching. Can't be safe unless you airgap yourself from all electronics. Stay safe, brother.

sha256.png
Haha. This is a classic case of PEBKAC.
Post Reply