lbreuss / truecrypt-archive

Archive of (almost) all truecrypt releases - Please audit this repository!

Home Page:http://istruecryptauditedyet.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

TrueCrypt Archive

This is a tin foil hat area. Please put on your tin foil hat before proceeding.

Most of the files are from different collections that people have provided.

  • http://cyberside.net.ee/truecrypt/ (credit to 16systems and CyR for collecting!)
  • Different forums and random websites (see commit messages)
  • Anonymous submissions via email (you are anonymous unless you specify you want credit)

If you have any new files, either in the list below or files that we don't know about, please contact us!

We try to get signature files for everything, but we often include files even if we lack signature files, if the source seems trustworthy. Please be aware of this, and trust the files accordingly.

Repository status: Build Status

  • build passing (green) - all packages with .sig files are valid.
  • build failing (red) - a package is corrupted or a signature is invalid.

Missing files

At least these files are missing, and there are probably a lot more files that we don't know about.

Most wanted:

  • truecrypt-3.0-source-code.zip
  • truecrypt-4.3-source-code.zip.sig
  • TrueCrypt 5.0 Source.tar.gz.sig

Missing .sig files for current files:

  • TrueCrypt 5.0a Leopard Intel.dmg.sig
  • TrueCrypt 5.1 Leopard.dmg.sig
  • TrueCrypt 5.1a Leopard.dmg.sig
  • TrueCrypt 5.1a Tiger.dmg.sig
  • truecrypt-4.0-opensuse-10.0-x86.tar.gz.sig
  • truecrypt-4.0-suse-9.2-x86.tar.gz.sig
  • truecrypt-4.0-ubuntu-5.04-x86.tar.gz.sig
  • truecrypt-4.0-ubuntu-5.10-x64.tar.gz.sig
  • truecrypt-4.0-ubuntu-5.10-x86.tar.gz.sig
  • truecrypt-4.1-opensuse-10.0-x86.tar.gz.sig
  • truecrypt-4.1-suse-9.2-x86.tar.gz.sig
  • truecrypt-4.1-suse-9.3-x86.tar.gz.sig
  • truecrypt-4.1-ubuntu-5.04-x86.tar.gz.sig
  • truecrypt-4.1-ubuntu-5.10-x86.tar.gz.sig
  • truecrypt-4.2-fedora-core-4-x86.tar.gz.sig
  • truecrypt-4.2-fedora-core-5-x86.tar.gz.sig
  • truecrypt-4.2-opensuse-10.0-x86.tar.gz.sig
  • truecrypt-4.2-suse-9.3-x86.tar.gz.sig
  • truecrypt-4.2-ubuntu-5.04-x86.tar.gz.sig
  • truecrypt-4.2-ubuntu-5.10-x86.tar.gz.sig
  • truecrypt-4.2a-fedora-core-4-x86.tar.gz.sig
  • truecrypt-4.2a-fedora-core-5-x86.tar.gz.sig
  • truecrypt-4.2a-opensuse-10.0-x86.tar.gz.sig
  • truecrypt-4.2a-opensuse-10.1-x64.tar.gz.sig
  • truecrypt-4.2a-opensuse-10.1-x86.tar.gz.sig
  • truecrypt-4.2a-suse-9.3-x86.tar.gz.sig
  • truecrypt-4.2a-ubuntu-5.04-x86.tar.gz.sig
  • truecrypt-4.2a-ubuntu-5.10-x86.tar.gz.sig
  • truecrypt-4.2a-ubuntu-6.06-x64.tar.gz.sig
  • truecrypt-4.3-opensuse-10.2-x86.tar.gz.sig
  • truecrypt-4.3-ubuntu-6.06-x86.tar.gz.sig
  • truecrypt-4.3-ubuntu-6.10-x64.tar.gz.sig
  • truecrypt-4.3-ubuntu-6.10-x86.tar.gz.sig
  • truecrypt-4.3a-opensuse-10.2-x86.tar.gz.sig
  • truecrypt-5.0-opensuse-x86.tar.gz.sig
  • truecrypt-5.0a-opensuse-x86.tar.gz.sig
  • truecrypt-5.1-opensuse-x86.tar.gz.sig
  • truecrypt-5.1-ubuntu-x64.tar.gz.sig
  • truecrypt-5.1-ubuntu-x86.tar.gz.sig

Other known files:

  • truecrypt-4.3a-ubuntu-6.06-x86.tar.gz
  • truecrypt-4.3a-ubuntu-6.06-x86.tar.gz.sig
  • truecrypt-4.3a-ubuntu-7.04-x64.tar.gz
  • truecrypt-4.3a-ubuntu-7.04-x64.tar.gz.sig
  • truecrypt-4.3a-ubuntu-7.04-x86.tar.gz
  • truecrypt-4.3a-ubuntu-7.04-x86.tar.gz.sig
  • TrueCrypt 5.0 Leopard Intel.dmg
  • TrueCrypt 5.0 Leopard Intel.dmg.sig
  • TrueCrypt 5.0 Leopard PowerPC.dmg
  • TrueCrypt 5.0 Leopard PowerPC.dmg.sig
  • TrueCrypt 5.0 Tiger Intel.dmg
  • TrueCrypt 5.0 Tiger Intel.dmg.sig
  • TrueCrypt 5.0a Leopard PowerPC.dmg
  • TrueCrypt 5.0a Leopard PowerPC.dmg.sig
  • TrueCrypt 5.0a Tiger Intel.dmg
  • TrueCrypt 5.0a Tiger Intel.dmg.sig

TrueCrypt 7.2

Version 7.2, released 2014-05-28, appears to be the last version of TrueCrypt. The website, forums and all other resources disappeared and was replaced with a scaled-down SourceForge website. The new version seems to be basically 7.1a, but without the ability to create new volumes.

The warnings that accompany version 7.2 claim that TrueCrypt is not secure, and that people should migrate to BitLocker and other solutions.

The authors write that the development was stopped after Microsoft terminated support for Windows XP. This is an interesting claim since the list of planned future features from the old website included support for Windows 8 and UEFI. This is the list before the website was shut down:

- Full support for Windows 8
- Ability to encrypt Windows system partitions/drives on UEFI-based computers
- Command line options for volume creation (already implemented in Linux and Mac OS X versions)
- "Raw" CD/DVD volumes

This project will keep going, so please help us collect the remaining files. Thank you!

Past versions

The TrueCrypt website used to offer downloads of past versions. This is no longer available since 2014-05-28. They used to offer versions 7.0a, 6.3a and 5.1a for Windows, while only 7.0a and 6.3a for Mac OS X and Linux. I found this interesting note in the version history:

Note: TrueCrypt 4.3a and 5.1a have been repackaged to contain the latest version of the TrueCrypt License introduced with TrueCrypt 6.0 (the original application and driver binaries of those old versions have not been modified; however, the installer used for those new packages was compiled using the source code of TrueCrypt 6.0, not TrueCrypt 5.1a).

See License History for more information.

Verifying the integrity

There are four keyfiles that the TrueCrypt developers have released.

  1. TrueCrypt_Team_PGP_public_key.asc
    • This is the first key, used only for version 1.0 and 1.0a.
    • pgpdump: Public key creation time - Mon Jan 26 21:02:14 CET 2004
  2. TrueCrypt_Foundation_PGP_public_key.asc
    • This key has been used for version 2.0 and later.
    • pgpdump: Public key creation time - Sun Jun 6 11:13:17 CEST 2004
  3. TrueCrypt-Foundation-Public-Key.asc
    • This key has the same fingerprint as the previous key, but pgpdump reveals that it is composed differently.
    • Both Foundation keys can verify the same files.
    • Same creation time as the previous key, but the date Tue Mar 20 22:52:24 CET 2007 can be seen in pgpdump output. Presumably this is when this file was released (the day after 4.3 was released).
  4. TrueCrypt-key.asc
    • This file was released with version 7.2. It is actually identical with TrueCrypt-Foundation-Public-Key.asc.
    • It was most likely renamed to avoid attention to the Foundation, so that people would focus on the message that was released along with 7.2, and not the authors.

I am not a cryptography expert, so I do not know the significance the second Foundation key presents. It is evident however, that the TrueCrypt developers have difficulty deciding what they want to call themselves and what email address they use.

  1. TrueCrypt Team <mail@truecrypt.org>
  2. TrueCrypt Foundation <info@truecrypt-foundation.org>
  3. TrueCrypt Foundation <contact@truecrypt.org>

This is all very interesting, but let's get on to verifying the signature files.

Verifying the keyfile

You can get the fingerprint of a keyfile by running:

$ gpg --with-fingerprint TrueCrypt-Foundation-Public-Key.asc
pub  1024D/F0D6B1E0 2004-06-06 TrueCrypt Foundation <contact@truecrypt.org>
      Key fingerprint = C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0
sub  4077g/6B136ECF 2004-06-06

You can then go to a public key website, e.g. pgp.mit.edu, and verify that this is actually an authentic keyfile. Alternatively, and probably a better practice, you can import the keyfiles from the public key server.

Importing keys

gpg --import TrueCrypt_Team_PGP_public_key.asc TrueCrypt-Foundation-Public-Key.asc

You can import TrueCrypt_Foundation_PGP_public_key.asc too, if you'd like.

Alternatively, you can import the keys from a key server directly (via HKP protocol), using the id from the keyfile you verified previously:

$ gpg --keyserver pgp.mit.edu --recv-keys 0xF0D6B1E0
gpg: requesting key F0D6B1E0 from hkp server pgp.mit.edu
gpg: key F0D6B1E0: public key "TrueCrypt Foundation <info@truecrypt-foundation.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

Trust the keys

gpg --edit-key "TrueCrypt Team" trust quit
gpg --edit-key "TrueCrypt Foundation" trust quit

Select option 5, I trust ultimately.

Verify the files

Mac/Linux

I made a bash script, like so:

#!/bin/bash
for f in *.sig
do
    echo "Verifying '$f'"
    gpg --verify "$f"
    echo
done
  1. Save as ~/verify-sigs.sh
  2. chmod +x ~/verify-sigs.sh
  3. cd truecrypt-archive
  4. Just run ~/verify-sigs.sh to verify all files.
  5. Run ~/verify-sigs.sh &>verification.txt to save the output to file.

If you want a one-liner, you can try this::

$ gpg --status-fd 1 --verify-files *.sig

Windows

If you are using Windows, the easiest way to get gpg is by downloading Gpg4win (Vanilla version is enough), and then adding C:\Program Files (x86)\GNU\GnuPG\pub to your PATH.

You can use this bat script:

@echo off
for %%f in (*.sig) do (
    echo Verifying '%%~nf'
    gpg --verify "%%f"
    echo.
)

Save it as verify-sigs.bat and put it in PATH, e.g. the Windows directory.

It can also be useful to associate .sig files with this bat script:

@echo off
echo Verifying '%~n1'
echo.
gpg --verify %1
echo.
pause

Save it as verify-sig.bat and associate .sig files with it. Then simply double-click a .sig file to verify it.

Delete keys

gpg --delete-key TrueCrypt

Repeat until all keys are gone.

About

Archive of (almost) all truecrypt releases - Please audit this repository!

http://istruecryptauditedyet.com/