undefined | Better HN

0 pointsproctor12y ago0 comments

i think there are two concerns here. one is that the source is not tainted by a third party during or before the download. the second (arguably much more important in this case) concern is that the compiled binary matches the source. the second concern is addressed well by the author as far as i can tell, but i think that there is room for improvement in their concerns about the former. i assume they have thought about this and do have at least some concerns because it is mentioned that

  The PGP signature of the binary can be downloaded 
  through the button PGP Signature, which makes you 
  download TrueCrypt Setup 7.1a.exe.sig over HTTPS 
  (*although with the NSA in the middle, it might not 
  mean much*).

[emphasis mine]

cross-referencing the pgp signature with at least one other (public) source would go a long way toward allaying those concerns (that the HTTPS might not mean much).

this criticism is in no way meant to detract from the rest of the work, and i mean only to refer to pgp sig verification best practices here.

0 comments

1 comments · 1 top-level

acqq12y ago

But you can do this too easily and be make sure yourself! Do it yourself with GPG, then calculate SHA of the binaries, compare with his text. he published the checksums with which he worked in more points of his analysis.

j / k navigate · click thread line to collapse