qBittorrent official forums

I'm trying to verify my QBT download is legitimate and clean. (Following this guide.)

But where are the .asc files? I can only see the public key at the top of the Downloads page?

It's here, on the top:

https://www.qbittorrent.org/download

Peter wrote: Wed Jul 19, 2023 11:33 pm It's here, on the top:

https://www.qbittorrent.org/download

Thanks Peter. Actually, it's not the public key I was looking for but the signature for the actual download file. I've now found these files on Fosshub - next to each corresponding file.

As someone who doesn't understand PGP very well (forgive my ignorance) this concerns me... isn't it risky hosting the signatures on a third party site? If Fosshub were compromised and wanted to deliver spyware to certain individuals, they could send personalized versions of both the binaries and corresponding signatures? Or does the public key make this kind of tampering impossible?

JohnT wrote: Thu Jul 20, 2023 10:13 am

Peter wrote: Wed Jul 19, 2023 11:33 pmisn't it risky hosting the signatures on a third party site? If Fosshub were compromised and wanted to deliver spyware to certain individuals, they could send personalized versions of both the binaries and corresponding signatures? Or does the public key make this kind of tampering impossible?

I mean, what is, where is ever safe?
- Github could be compromised from their side; both their infrastructure, or frontend, or a privilege escalation issue
- Developer accounts could be compromised and could submit rogue code
- The binaries could be swapped out, injected and the signature modified too - as you said

There is really nothing out there that guarantees that something is safe. Anti-virus was used for this, but AV programs always struggled if the code was injected for a specific purpose. Ie.: Someone created a malware just for this injection. And AV vendors are complaining now that AI is being used for generative malware too.

There is only one way to make sure something is super safe. IF something is open-source and the source code is small enough and you are a black-belt programmer, you may verify the whole source code and make sure it is safe. And then compile it for yourself. But, good luck with that with a bigger project. (For example, here, you have Qt, libtorrent, and qBittorrent itself. Three projects.)

Safety is a mindset I'd say. If you want to live in safety in the digital world, you have to severely cripple yourself, so to speak. For example, some people use Qubes OS (https://www.qubes-os.org/) where you'd isolate programs into "Qubes". You could also run qBittorrent in Docker, and only let it access your given folders. Then again, it could infect downloaded data then. But oh you just wait. The downloaded data. Exactly. Unless you are sharing data that you well know, that is byte-by-byte the same thing you know, it might be infected as well. I've personally witnessed it happening it on even private trackers. Who can stop you from uploading some random game or program to a site, with some freshly baked malware? No one. Even if the torrents are checked, even if moderators would download it, AV detection will fail and people will carry on with their life.

Security conscious people usually run laptops with open firmwares flashed on them, with Intel ME wiped out and they run only open-source software. Not only that, some don't even use the internet. See RMS himself.

Long story short, if you want to "stay safe": Don't torrent if safety is a concern.

Sorry for the book.

Peter wrote: Thu Jul 20, 2023 11:06 am Sorry for the book.

No that was fascinating and very helpful indeed, thank you!

I'm not super-techy and certainly won't be examining source code, I just wanted to see if I could verify the installer files because I have strong reason to believe that files I've downloaded with QBT have been altered by hackers. (And I'm starting to believe this practice is way more common than most people realise.)

But going back to my earlier question, would it not be more secure for the owners of this site to simply host the download signatures here along with the public key, rather than on a 3rd party site? They're only small files so why not? Just curious?

Update: I've now checked the installer files with the signatures, and it's saying they cannot be verified, which confirms my suspicions. So I believe Fosshub are compromised and delivering malware that's subtle enough to pass under the radar of virus checkers.

JohnT wrote: Thu Jul 20, 2023 11:48 am Update: I've now checked the installer files with the signatures, and it's saying they cannot be verified, which confirms my suspicions. So I believe Fosshub are compromised and delivering malware that's subtle enough to pass under the radar of virus checkers.

Interesting.

$ gpg --verify qbittorrent_4.5.4_x64_setup.exe.asc qbittorrent_4.5.4_x64_setup.exe

gpg: Good signature from "sledgehammer_999 (Used for signing git commits/tags/etc) <[email protected]>" [unknown]
gpg: aka "sledgehammer999 (Used for signing qBittorrent source tarballs and binaries v2.) <[email protected]>" [unknown]

You can also check the sha value:

$ sha256sum qbittorrent_4.5.4_x64_setup.exe
3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615 qbittorrent_4.5.4_x64_setup.exe

From FOSSHUB:
"sha256 3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615"
From qbittorrent.org:

Version SHA2-256
4.5.4 3ba266ddbe5624aeedec1a23c6bf86d6cfd5b547e8c1a31169f6a08434c9e615
4.5.4 (lt20 qt5) c650f71f6aa38c6fb769e5f809a215eb671632273af37d7825fa0a14729d7b35
4.5.4 (qt6) 42b1abe7f8d14912f410b55e403b66eb705f47f05df7999194b7e9764e16231d
4.5.4 (lt20 qt6) 0ce1511db985ea2945704185c0a9ca86b1e581a2c5c70a026d4006a4aa4d8277
4.6.0beta1 (lt12 qt6) e2af99045bce9e91c8ae9de893e88dcc37d49eb8f19e7e39fd8fc810920f4379
4.6.0beta1 (lt20 qt6) a2d01ed1223593bfeaf9d7dbf8be8ca6c797274dd8e654208d00b5d07aec1c4f

(I just grabbed it from Fosshub, like seconds ago.)

As you can see, signature is OK, perfect SHA match.

Forgive me, Peter, but everything you just said and posted is way over my head, sorry.

Bear in mind that just because the signatures verify successfully for you, or most people, that doesn't stop Fosshub from delivering personalized downloads to targeted individuals such as myself.

I've downloaded several installer versions from Fosshub just now including older versions. None of them can be verified. I'd love to share these files with you so you can compare with your own downloads, but is that possible without tampering?

(By the way, I'm using GPG4Win, Kleopatra GUI. I don't do command line stuff.)

OK Peter... here is an encrypted zip file containing three installers I just got from Fosshub. If possible please could you download this file, plus one or more of the same installers from Fosshub. After you've confirmed receipt, I'll give the password. You can then compare my files with your own. Will mine fail to verify but yours will?

OK, no reply from Peter. I'm getting a bad feeling about this.

Would anyone else be prepared to help me with this, download my zip file and help test this?

I literally have things to do in real life sometimes? I know, awful, I absolutely agree.
I grabbed the ZIP, but I don't have time to sit around for some password now.

Be careful, the evil lizard people already swapped out the bytes in your memory by this time. Did you know that RAM content is not cleared instantly upon shutdown? This is why shadow gremlins steal the data after you leave your computer at the desk too. Scary stuff. Stay safe.

Peter wrote: Sun Jul 23, 2023 3:32 pm I literally have things to do in real life sometimes? I know, awful, I absolutely agree.
I grabbed the ZIP, but I don't have time to sit around for some password now.
Free Fire Name
Be careful, the evil lizard people already swapped out the bytes in your memory by this time. Did you know that RAM content is not cleared instantly upon shutdown? This is why shadow gremlins steal the data after you leave your computer at the desk too. Scary stuff. Stay safe.

Hi,
I totally understand the struggle of having real-life responsibilities interrupting our digital adventures! It's crucial to manage our time effectively. And yes, data security is a real concern, with potential threats even after shutting down. Regularly changing passwords and staying vigilant is essential to staying safe in the digital world. Stay mindful and take breaks when needed, but don't forget to protect your data.