In order to verify the PGP signature of the binary, I use Gpg4win 2.2.1. Note: Links to the TrueCrypt website are no longer working, you will have to find the files elsewhere such as on or /drwhax/truecrypt-archive.
Version 7.2 is compiled in the same way as version 7.1a, with a project path set to c:\truecrypt-7.2, consistent with the previous builds' scheme.Īccording to my analysis, the binaries of v7.2 for Windows match the available sources. The legitimacy of this last release can be questioned, however you can at least verify that it matches the available sources (and hence again, that the given compiled source code is the one you can read) by following the steps in this article. The TrueCrypt project was apparently abruptly shut down on and provides a farewell edition (v7.2) that is stripped of any code that enables the creation of new encrypted volumes and adds a feature to decrypt existing non-system encrypted drives in-place to facilitate the transition to other encryption tools. I am also able to explain the small remaining differences and then prove that the official binaries indeed come from the public sources. In this article, I present how I compiled TrueCrypt 7.1a for Windows and reached a very close match with the official binaries. However, it is still at an early stage (as of October 2013) and tries to raise funds first. Recently, the IsTrueCryptAuditedYet project was launched and aims at reviewing TrueCrypt's security and, among other things, providing deterministic build so as to enable everyone to compare her version to the official one. Since we haven't done such a reverse engineering we can't preclude that there is a back door hidden within those binary packages."
This concern has also been raised in this analysis, saying: " Without a very expensive “reverse engineering” it can't be proved that they are compiled from the published source code. Hence, anyone compiling the sources will get different binaries, as pointed by this article on Privacy Lover, saying that " it is exceedingly difficult to generate binaries from source that match the binaries provided by Truecrypt." This has led some speculations regarding the possibility of having backdoors in the official binaries that cannot be found easily.
TrueCrypt is a project that doesn't provide deterministic builds.
0 kommentar(er)
