How to verify X.509 signatures?
Peter Lebbing
peter at digitalbrains.com
Sun Mar 24 11:07:12 CET 2013
On 23/03/13 21:06, adrelanos wrote:
> TrueCrypt.org says [1] they are signing "TrueCrypt Setup 7.1a.exe" [2]
> with a X.509 signature. How can I verify such a signature?
This is probably a "Microsoft Authenticode" signature on a Microsoft PE
executable. It's very specifically a Microsoft thing, and you'll need a program
with specific support for this format. It's X.509 wrapped inside an executable.
If you Google for it, you'll probably find a lot of references to a heated
discussion between Matthew Garret and Linus Torvalds about including a parser in
the Linux kernel :).
The best I could come up with through Googling was [1]. You might be able to
write something up in Python with the pefile module.
Alternatively, just either
- verify on Windows, by checking the "Properties" of the executable
- verify using the OpenPGP signature they also provide
Seems to me that TrueCrypt is such a high-profile thing that I can see some
secret service subverting a CA to get a valid signature on their own backdoored
version of it.
Also, there is something strange going on? It says on the page you linked[2]
that all downloads are HTTPS, but all the HTTPS server on www.truecrypt.org
seems to do is redirect you to the HTTP server. I wanted to say that an X.509
signature on the executable doesn't add much compared to downloading it over
HTTPS, but when the server is downgrading the connection...
Anyway, my point, I wouldn't trust an X.509 signature on TrueCrypt anyway. It's
too big a target for very well-funded groups that can subvert one of the immense
amount of trusted CA's. If you're worried your download might be backdoored, you
should be worried that it probably also carries a valid signature.
Good luck,
Peter.
[1]<http://hype-free.blogspot.nl/2008/09/how-to-verify-executable-digital.html>
[2]<http://www.truecrypt.org/docs/?s=digital-signatures>
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list