This project has moved. For the latest updates, please go here.

PGP Key

Topics: Feature Requests
Dec 9, 2014 at 10:31 AM
On the main page you say...

"Linux and MacOSX releases are signed with a PGP key"

Would it be possible to also include windows versions please ?


Key Fingerprint 993B7D7E8E413809828F0F29EB559C7C54DDD393 belongs to "VeraCrypt Team".

As it is a team, can I ask how many people have access to this key please ? It would be comforting for users to know who is assuring the integrity of the downloads.

Thanks.
Coordinator
Dec 9, 2014 at 12:55 PM
Actually, Windows binaries are also signed with the same PGP key as you can see in the downloads page. I have to update the text of the main page.

As for the team, for now it is only me! A long term objective is to be able to build a developers community and that's the reason behind the team word. Even in this case, the signing key should be unique to a specific team member although we can have multiple signing key as it is the case in major open source projects.
Dec 9, 2014 at 5:43 PM
As for the team, for now it is only me!

LOL A one man army :) You are doing well holding the front line !

I suggest while you are on your own might it be a good idea for you to make your key named personally to you ? Before the inclusion of other members complicates things and the term team means something else ?

As we are all trusting the protection of our valuable data to you, I would very much like to be certain it is you personally who signs the .exe's.

Do you have a plan in case you are approached by "the man" ? You can at least refuse to sign the binaries.


A little paranoia is good sometimes :)
Coordinator
Dec 9, 2014 at 10:49 PM
I understand your point but trust is not something that you can guarantee, it is something that you build. Putting my name on a key will make it look more personal but it is no different from putting VeraCrypt name. By the way, Windows installer is signed by IDRIX code signing certificate for which I'm the only one to hold the key.

Paranoia is always good in the security world and I'm the first to be paranoid (positively paranoïd!). By making myself public, my reputation is in the front line and any stupid action like putting pressure on me would result on the shutdown of the VeraCrypt project as I will not risk destroying my reputation and the confidence people have on me and this project. In a certain way, it is similar to the Lavabit approach.
Dec 9, 2014 at 11:56 PM
That last paragraph is exactly what <fill in the blank here> would like to see happen to VC since they do not have a backdoor.

Maybe some form of warrant canary would be possible for the project.
Dec 10, 2014 at 12:34 PM
Edited Dec 10, 2014 at 12:34 PM
Maybe some form of warrant canary would be possible for the project.
.
Not easily achieved, well not in a way that is safe for Mounir. "the man" can be very persuasive.

As for back doors, true there are no known software back doors in VC. However "the man" does not always knock at the door. You need to find out about hardware tampering, I watched a very distressing presentation demonstrating the lengths these agencies go to. Believe it or not intercepting mail and swapping mainboards and or hard drives people bought from on-line retailers !

The above inspired me to make a feature request for VC to test the output of it's CSPRNG. I believe Mounir accepted it.

Other, less smart methods used by "the man" are VERY long prison sentences if you refuse to hand over your password.

Scary stuff, but I guess you have to be on their watch list.
Coordinator
Dec 10, 2014 at 9:50 PM
Things a little different in France and in Europe in General. Legal aspects here are much clearer with less secrecy, especially for open source projects like VeraCrypt which are not providing any hosting and communication services.

Of course, other means can be employed to try to stop an "annoying" project but in the case of VeraCrypt (and TrueCrypt before) the genie is out of the bottle!! Their will be always someone that will pick it up from where it stopped.
Dec 10, 2014 at 10:05 PM
I hope you are right Mounir, as much as I want to see veraCrypt progress it is not fair to expect you to take any risks.

All I can say is, if you are ever pressured, just dump the project and destroy the PGP signing keys. I am certain all the users will totally understand. You have been very kind to us with your time, we certainly don't want you to experience any trouble on our behalf.

However, as you say, things seem a little more civilised in France, so you should be ok :)