How to verify X.509 signatures?
peter at digitalbrains.com
Sun Mar 24 11:07:12 CET 2013
On 23/03/13 21:06, adrelanos wrote:
> TrueCrypt.org says  they are signing "TrueCrypt Setup 7.1a.exe" 
> with a X.509 signature. How can I verify such a signature?
This is probably a "Microsoft Authenticode" signature on a Microsoft PE
executable. It's very specifically a Microsoft thing, and you'll need a program
with specific support for this format. It's X.509 wrapped inside an executable.
If you Google for it, you'll probably find a lot of references to a heated
discussion between Matthew Garret and Linus Torvalds about including a parser in
the Linux kernel :).
The best I could come up with through Googling was . You might be able to
write something up in Python with the pefile module.
Alternatively, just either
- verify on Windows, by checking the "Properties" of the executable
- verify using the OpenPGP signature they also provide
Seems to me that TrueCrypt is such a high-profile thing that I can see some
secret service subverting a CA to get a valid signature on their own backdoored
version of it.
Also, there is something strange going on? It says on the page you linked
that all downloads are HTTPS, but all the HTTPS server on www.truecrypt.org
seems to do is redirect you to the HTTP server. I wanted to say that an X.509
signature on the executable doesn't add much compared to downloading it over
HTTPS, but when the server is downgrading the connection...
Anyway, my point, I wouldn't trust an X.509 signature on TrueCrypt anyway. It's
too big a target for very well-funded groups that can subvert one of the immense
amount of trusted CA's. If you're worried your download might be backdoored, you
should be worried that it probably also carries a valid signature.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users