How to verify X.509 signatures?

Peter Lebbing peter at
Sun Mar 24 11:07:12 CET 2013

On 23/03/13 21:06, adrelanos wrote:
> says [1] they are signing "TrueCrypt Setup 7.1a.exe" [2]
> with a X.509 signature. How can I verify such a signature?

This is probably a "Microsoft Authenticode" signature on a Microsoft PE
executable. It's very specifically a Microsoft thing, and you'll need a program
with specific support for this format. It's X.509 wrapped inside an executable.

If you Google for it, you'll probably find a lot of references to a heated
discussion between Matthew Garret and Linus Torvalds about including a parser in
the Linux kernel :).

The best I could come up with through Googling was [1]. You might be able to
write something up in Python with the pefile module.

Alternatively, just either
- verify on Windows, by checking the "Properties" of the executable
- verify using the OpenPGP signature they also provide

Seems to me that TrueCrypt is such a high-profile thing that I can see some
secret service subverting a CA to get a valid signature on their own backdoored
version of it.

Also, there is something strange going on? It says on the page you linked[2]
that all downloads are HTTPS, but all the HTTPS server on
seems to do is redirect you to the HTTP server. I wanted to say that an X.509
signature on the executable doesn't add much compared to downloading it over
HTTPS, but when the server is downgrading the connection...

Anyway, my point, I wouldn't trust an X.509 signature on TrueCrypt anyway. It's
too big a target for very well-funded groups that can subvert one of the immense
amount of trusted CA's. If you're worried your download might be backdoored, you
should be worried that it probably also carries a valid signature.

Good luck,



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list