Fosshub adding MALWARE to installers? Help me prove it!
Posted: Fri Jul 21, 2023 11:48 am
I've come to believe that Fosshub is adding malware to QBT installers - probably not for everyone, but at least to certain individuals.
I first became aware of this when I noticed that files downloaded with QBT had been altered from the original shared version. I then checked the PGP signature of all my QBT installers and they FAILED to verify, suggesting they've been injected with malware.
I need your help to prove this! Here's a zip file I made containing four random installers I downloaded from Fosshub (3 binaries + 1 source). When I check their PGP signatures, these all fail. Do they fail for you too?
Please can you download this file (it's encrypted but I'll share the pass in a few days' time after you've downloaded it and it can no longer be tampered with).
Then see if you can verify whether these are authentic files?
Here's direct links to all these installer files on Fosshub:
qBittorrent v4.5.4 x64 PGP signature
qBittorrent v4.4.1 x64 PGP signature
qBittorrent v4.2.4 PGP signature
qBittorrent v4.5.4 source PGP signature
Will the files you download be different to the ones I downloaded?
If it is the case that Fosshub is injecting malware to certain downloads, I would think it likely to be happening to many if not all programs, and practiced by all the big download sites. This, of course, completely undermines the whole point of programs like QBT being open source and having PGP verification. Those things only serve to give most users a false sense of security.
If you don't know how to check PGP signatures, here's a...
Quick guide on how to check PGP signatures:
1. Install GPG4win (including the frontend program "Kleopatra")
2. Download qBirttorrent's "public key" file from the top of the Downloads page (direct link).
3. Run Kleopatra, click the "Import" button and select the public key file. It will be permanently added to the list of certificates and you don't need to do this step again.
4. To verify a file, just click the "Decrypt/Verify" button and select the signature (.asc) file. If the corresponding file is in the same folder, it will automatically begin checking it.
5. You will get a result saying (in my case) "The data could not be verified"
I first became aware of this when I noticed that files downloaded with QBT had been altered from the original shared version. I then checked the PGP signature of all my QBT installers and they FAILED to verify, suggesting they've been injected with malware.
I need your help to prove this! Here's a zip file I made containing four random installers I downloaded from Fosshub (3 binaries + 1 source). When I check their PGP signatures, these all fail. Do they fail for you too?
Please can you download this file (it's encrypted but I'll share the pass in a few days' time after you've downloaded it and it can no longer be tampered with).
Then see if you can verify whether these are authentic files?
Here's direct links to all these installer files on Fosshub:
qBittorrent v4.5.4 x64 PGP signature
qBittorrent v4.4.1 x64 PGP signature
qBittorrent v4.2.4 PGP signature
qBittorrent v4.5.4 source PGP signature
Will the files you download be different to the ones I downloaded?
If it is the case that Fosshub is injecting malware to certain downloads, I would think it likely to be happening to many if not all programs, and practiced by all the big download sites. This, of course, completely undermines the whole point of programs like QBT being open source and having PGP verification. Those things only serve to give most users a false sense of security.
If you don't know how to check PGP signatures, here's a...
Quick guide on how to check PGP signatures:
1. Install GPG4win (including the frontend program "Kleopatra")
2. Download qBirttorrent's "public key" file from the top of the Downloads page (direct link).
3. Run Kleopatra, click the "Import" button and select the public key file. It will be permanently added to the list of certificates and you don't need to do this step again.
4. To verify a file, just click the "Decrypt/Verify" button and select the signature (.asc) file. If the corresponding file is in the same folder, it will automatically begin checking it.
5. You will get a result saying (in my case) "The data could not be verified"