starred/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00
Code Issues 2.6k Projects Packages Wiki Activity

Plugins should be signed #2487

New issue
Open
opened 2026-02-21 16:14:51 -05:00 by deekerman · 1 comment
deekerman commented 2026-02-21 16:14:51 -05:00
Owner
Copy link

Originally created by @yurivict on GitHub (May 15, 2015).

Currently qBittorrent downloads search plugins (python source files) from GitHub without any checking. If they will be substituted by an attacker with the malicious code, they can cause damage to the user system.

The correct way to handle this is to distribute the public key with qBittorrent itself, download every plugin along with its signature made with the private key, and check the signature with the public part of the key in qBittorrent app.

Look here https://github.com/infobyte/evilgrade for one example how unsigned executable downloads can be exploited.

OpenSSL supports signing, here is the easy reference: http://stackoverflow.com/questions/10782826/digital-signature-for-a-file-using-openssl

# generate key
openssl genrsa -des3 -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem

# sign
openssl dgst -sha256 -sign privkey.pem -out $1.sign $1

# verify
openssl dgst -sha256 -verify pubkey.pem -signature $1.sign $1
Originally created by @yurivict on GitHub (May 15, 2015). Currently qBittorrent downloads search plugins (python source files) from GitHub without any checking. If they will be substituted by an attacker with the malicious code, they can cause damage to the user system. The correct way to handle this is to distribute the public key with qBittorrent itself, download every plugin along with its signature made with the private key, and check the signature with the public part of the key in qBittorrent app. Look here https://github.com/infobyte/evilgrade for one example how unsigned executable downloads can be exploited. OpenSSL supports signing, here is the easy reference: http://stackoverflow.com/questions/10782826/digital-signature-for-a-file-using-openssl ``` # generate key openssl genrsa -des3 -out privkey.pem 2048 openssl rsa -pubout -in privkey.pem -out pubkey.pem # sign openssl dgst -sha256 -sign privkey.pem -out $1.sign $1 # verify openssl dgst -sha256 -verify pubkey.pem -signature $1.sign $1 ```
deekerman commented 2026-02-21 16:14:54 -05:00
Author
Owner
Copy link

@xavier2k6 commented on GitHub (May 23, 2025):

ANNOUNCEMENT!

For anybody coming across this "Feature Request" & would like/love to see a potential implementation in the future!
Here are some options available to you:

  1. Please select/click the 👍 &/orreactions in the original/opening post of this ticket.

  2. Please feel free (If you have the "skillset") to create a "Pull Request" implementing what's being requested in this ticket.
    (new/existing contributors/developers are always welcome)

DO:

  • Provide constructive feedback.
  • Display how other projects implemented same/similar etc.

DO NOT:

  • Add a "Bump", "me too", "2nd/3rd" etc. or "criticizing" comment(s).
    (These will be disregarded/hidden as "spam/abuse/off-topic" etc. as they don't provide anything constructive.)
@xavier2k6 commented on GitHub (May 23, 2025): ## ANNOUNCEMENT! For anybody coming across this **_"Feature Request"_** & would like/love to see a potential implementation in the future! **Here are some options available to you:** 1. Please select/click the 👍 **&/or** ❤ `reactions` in the original/opening post of this ticket. 2. Please feel free _(If you have the "skillset")_ to create a **_"Pull Request"_** implementing what's being requested in this ticket. **_(new/existing contributors/developers are always welcome)_** ____ **DO:** * Provide constructive feedback. * Display how other projects implemented same/similar etc. **DO NOT:** * Add a "Bump", "me too", "2nd/3rd" etc. or "criticizing" comment(s). **(These will be disregarded/hidden as "spam/abuse/off-topic" etc. as they don't provide anything constructive.)**
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v5_2_x
v5_1_x
debian
v5_0_x
v4_6_x
v4_5_x
v4_4_x
v4_3_x
v4_2_x
v4_1_x
v4_0_x
v3_3_x
v3_2_x
v3_1_x
v3_0_x
search_encoding_windows
v2_9_x
release-5.1.4
release-5.1.3
release-5.1.2
release-5.1.1
release-5.1.0
release-5.0.5
release-5.0.4
release-5.1.0rc1
release-5.1.0beta1
release-5.0.3
release-5.0.2
release-5.0.1
release-5.0.0
release-4.6.7
release-5.0.0rc1
release-4.6.6
release-4.6.5
release-4.6.4
release-5.0.0beta1
release-4.6.3
release-4.6.2
release-4.6.1
release-4.6.0
release-4.6.0rc2
release-4.5.5
release-4.6.0rc1
release-4.6.0beta1
release-4.5.4
release-4.6.0alpha1
release-4.5.3
release-4.5.2
release-4.5.1
release-4.5.0
release-4.5.0beta1
release-4.4.5
release-4.4.4
release-4.4.3.1
release-4.4.3
release-4.4.2
release-4.4.1
release-4.4.0
release-4.3.9
release-4.4.0rc1
release-4.3.8
release-4.4.0beta3
release-4.3.7
release-4.4.0beta2
release-4.4.0beta1
release-4.3.6
release-4.3.5
release-4.3.4.1
release-4.3.4
release-4.3.3
release-4.3.2
release-4.3.1
release-4.3.0.1
release-4.3.0
release-4.2.5
release-4.2.4
release-4.2.3
release-4.2.2
release-4.2.1
release-4.2.0
release-4.1.9.1
release-4.1.9
release-4.1.8
release-4.1.7
release-4.1.6
release-4.1.5
release-4.1.4
release-4.1.3
release-4.1.2
release-4.1.1
release-4.1.0
release-4.0.4
release-4.0.3
release-4.0.2
release-4.0.1
release-4.0.0
release-3.3.16
release-3.3.15
release-3.3.14
release-3.3.13
release-3.3.12
release-3.3.11
release-3.3.10
release-3.3.9
release-3.3.8
release-3.3.7
release-3.3.6
release-3.3.5
release-3.3.4
release-3.3.3
release-3.3.2
release-3.3.1
release-3.3.0
release-3.2.5
release-3.2.4
release-3.2.3
release-3.2.2
release-3.2.1
release-3.2.0
release-3.1.12
release-3.1.11
release-3.1.10
release-3.1.9.2
release-3.1.9.1
release-3.1.9
release-3.1.8
release-3.1.7
release-3.1.6
release-3.1.5
release-3.1.4
release-3.1.3
release-3.1.2
release-3.1.1
release-3.1.0
release-3.0.11
release-3.0.10
release-3.0.9
release-3.0.8
release-3.0.7
release-3.0.6
release-3.0.5
release-3.0.4
release-3.0.3
release-3.0.2
release-3.0.1
release-3.0.0
release-2.9.11
release-2.9.10
release-2.9.9
release-2.9.8
release-2.9.7
release-2.9.6
release-2.9.5
release-2.9.4
release-2.9.3
release-2.9.0
release-2.8.5
release-2.8.4
release-2.8.3
release-2.8.2
release-2.7.1
release-2.7.0
release-2.6.9
release-2.6.8
release-2.6.7
release-2.6.5
release-2.6.4
release-2.6.3
release-2.6.2
release-2.6.1
release-2.6.0
release-2.5.5
release-2.5.4
release-2.5.3
release-2.5.2
release-2.5.0
release-2.5.0rc1
release-2.4.11
release-2.5.0beta6
release-2.5.0beta5
release-2.5.0beta3
release-2.4.10
release-2.4.8
release-2.5.0beta2
release-2.5.0beta1
release-2.4.6
release-2.4.4
release-2.4.2
release-2.4.0
release-2.4.0rc3
release-2.4.0rc1
release-2.4.0beta3
release-2.4.0beta1
release-2.3.1
release-2.3.0
release-2.3.0rc6
release-2.2.11
release-2.3.0rc5
release-2.2.10
release-2.2.9
release-2.2.8
release-2.2.6
release-2.2.5
release-2.2.3
release-2.2.2
release-2.2.1
release-2.2.0
release-2.1.6
release-2.1.4
release-2.1.2
release-2.1.1
release-2.1.0
release-2.0.7
release-2.0.6
release-2.0.5
release-2.0.3
release-2.0.2
release-2.0.0
release-2.0.0rc6
release-2.0.0rc2
release-1.5.6
release-1.5.4
release-1.5.3
release-1.5.0
release-1.5.0rc5
release-1.5.0rc4
release-1.5.0rc3
release-1.5.0rc1
release-1.5.0beta4
release-1.5.0beta3
release-1.5.0beta2
release-1.5.0beta1
release-1.4.1
release-1.4.0
release-1.4.0rc2
release-1.4.0rc1
release-1.3.5
release-1.4.0beta3
release-1.3.4
release-1.3.3
release-1.3.1
release-1.3.0
release-1.2.1
release-1.2.0rc1
release-1.2.0beta6
release-1.1.4
release-1.2.0beta5
release-1.1.3
release-1.2.0beta3
release-1.1.2
release-1.2.0beta2
release-1.1.1
release-1.2.0beta1
release-1.1.0
release-1.1.0rc2
release-1.1.0rc1
release-1.1.0beta3
release-1.1.0beta2
release-1.0.0
release-1.0.0rc11
release-1.0.0rc10
release-1.0.0rc9
release-1.0.0rc8
release-1.0.0rc7
release-1.0.0rc6
release-1.0.0rc5
release-1.0.0rc4
release-1.0.0rc3
release-0.9.3
release-0.9.2
Labels
Clear labels   
Accessibility

   
AppImage

   
Bounty

   
Build system

   
CI

   
Can't reproduce

   
Code cleanup

   
Confirmed bug

   
Confirmed bug

   
Core

   
Crash

   
Data loss

   
Discussion

   
Docker

   
Documentation

   
Duplicate

   
Feature

   
Feature request

   
Feature request

   
Feature request

   
Filters

   
Flatpak

   
GUI

   
Has workaround

   
I2P

   
Invalid

   
Libtorrent

   
Look and feel

   
Meta

   
NSIS

   
Network

   
Not an issue

   
OS: *BSD

   
OS: Linux

   
OS: Windows

   
OS: macOS

   
PPA

   
Performance

   
Project management

   
Proxy/VPN

   
Qt bugs

   
Qt6 compat

   
RSS

   
Search engine

   
Security

   
Temp folder

   
Themes

   
Translations

   
Triggers

   
Waiting diagnosis

   
Waiting info

   
Waiting upstream

   
Waiting web implementation

   
Watched folders

   
WebAPI

   
WebUI

   
autoCloseOldIssue
No labels
Accessibility
AppImage
Bounty
Build system
CI
Can't reproduce
Code cleanup
Confirmed bug
Confirmed bug
Core
Crash
Data loss
Discussion
Docker
Documentation
Duplicate
Feature
Feature request
Feature request
Feature request
Filters
Flatpak
GUI
Has workaround
I2P
Invalid
Libtorrent
Look and feel
Meta
NSIS
Network
Not an issue
OS: *BSD
OS: Linux
OS: Windows
OS: macOS
PPA
Performance
Project management
Proxy/VPN
Qt bugs
Qt6 compat
RSS
Search engine
Security
Temp folder
Themes
Translations
Triggers
Waiting diagnosis
Waiting info
Waiting upstream
Waiting web implementation
Watched folders
WebAPI
WebUI
autoCloseOldIssue
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/qBittorrent#2487
No description provided.