This project has moved. For the latest updates, please go here.

please publish package hashes

Topics: Feature Requests
Nov 12, 2015 at 4:06 PM
Edited Nov 12, 2015 at 4:07 PM
I would like to suggest that md5 and sha256 cryptographic hashes be included in the text of the download pages.

OpenPGP signatures may be more secure than hashes published on a web page. However, they require certain level of understanding and presence of another, rather complex software application (PGP/GPG) on user's computer and the ability to use it, and is not normally done by end users, especially not on Windows systems. In contrast, checking the hashes after the download is completed is a trivial process. For an attacker, the work involved in forging hashes on the fly is quite demanding and easily detected with minimal effort by software publisher.

When the hashes are not published, I habitually post them on the application forum, as follows:

md5sum *
29407d0979a13cb135e3afccd5cb9a80 VeraCrypt_1.16_Bundle.7z
17f4f70d1b3878b4353e4730ee38d3fc VeraCrypt_1.16.dmg
cc0a47ff881e62a9a6f585e3adba532e veracrypt-1.16-setup.tar.bz2
fe36641c8dc1ddb3ce8b1d18b401660c veracrypt_1.16_Source.tar.bz2
f76f4d9bd4d8cb79d69d8e5133b6e713 veracrypt_1.16_Source.zip
543767792f640f1e1cfa863fec302056 VeraCrypt Setup 1.16.exe
8a67364348c652dbb623e47d4c9bce85 VeraCrypt User Guide0.pdf
8a67364348c652dbb623e47d4c9bce85 VeraCrypt User Guide.pdf

sha256sum *
e885951442d91ef237ec6c4f4622c12d8ab7d377cc5ddfbe2181360072c429f1 VeraCrypt_1.16_Bundle.7z
bfe147cb4c0a0e8ab47fa71ae0d3eec825f49548246da6e4a75a7b9b6250d78c VeraCrypt_1.16.dmg
81afbde794ea8ff426f4b5ecfe72269fbdc9b99bb759f42eaf54936d1a7dd1ba veracrypt-1.16-setup.tar.bz2
6861e79eb7e662330fa2a304061ebfb6a56929a78d8f4841ed0449a553257e7a veracrypt_1.16_Source.tar.bz2
0a1c6b8165d78be62623194178a109bdd8f8b4dbcb6c24d8b15eba629f99ddaf veracrypt_1.16_Source.zip
aafacca9a600af5b8d66387718c984b8655905f72370bbd772baf90e57e85b7e VeraCrypt Setup 1.16.exe
f5c70ad7ea8dd660f62b9162f745728ccfad1d00e74b3a4eedccf6c3d92eb43f VeraCrypt User Guide0.pdf
f5c70ad7ea8dd660f62b9162f745728ccfad1d00e74b3a4eedccf6c3d92eb43f VeraCrypt User Guide.pdf

I assume someone reading this and checking hashes of his downloads would, for mutual benefit, promptly sound an alarm in case of any mismatch.

Kormoran
Coordinator
Nov 12, 2015 at 4:20 PM
Hi Kormoran,

The SHA-256 and SHA-512 checksum files are already published on the download page: https://veracrypt.codeplex.com/wikipage?title=Downloads

This link is present on VeraCrypt home page https://veracrypt.codeplex.com

The text files containing the hashes are also present in the bundle and on Sourceforge download folder (https://sourceforge.net/projects/veracrypt/files/VeraCrypt%201.16/).

I guess you didn't see them. I thought they were easy to spot.
Any proposal on where to put the hashes to be more visible?

For your information, the hashes and PGP signatures of the bundle are published in pastbin (http://pastebin.com/u/veracrypt) and Reddit (https://www.reddit.com/r/VeraCrypt/comments/3nuf6c/the_veracrypt_116_bundle_file_checksums_and_pgp/)
Nov 12, 2015 at 4:59 PM
Hi Idrassi,

Thanks for the prompt reply. Indeed I missed them. I apologise.

For what's it's worth, for the stuff I publish, hashes are given not as a file to be downloaded, but in the download page html text, together with a gentle nudge to the downloaders to check them. (My comment on the likelihood of MS Windows users checking PGP signatures stands). I am in habit of visiting the page and glancing at the hashes often, as I pass by some Internet connected computer completely unrelated to me. I do that both as a user and as a publisher. An attacker would have to be very, very capable to know when to forge them and when not to.

Anyway, thank you for the commendable effort on this project!

Kormoran