15 September 2016

VeraCrypt: how to verify its GPG signature

I'm not sure why the steps to verify a VeraCrypt download isn't more prominently displayed on their website, so I pieced it together myself here:

Downloaded latest stable release and PGP signature here:
https://veracrypt.codeplex.com/wikipage?title=Downloads

On a Mac, make sure Homebrew is installed (or else you can install these yourself from source).

brew install gnupg
brew install gpg2

Get VeraCrypt PGP key ID from:
https://www.idrix.fr/Root/content/category/7/32/60/

In the terminal, run the following with the VeraCrypt PGP Key ID you got above:

gpg --recv-keys 0x54DDD393
gpg --fingerprint 0x54DDD393

That should display the key fingerprint, which you should compare with the key fingerprint that's posted on:
https://www.idrix.fr/Root/content/category/7/32/60/
and on:
https://veracrypt.codeplex.com/

Now to verify your download, run the following in Terminal for your downloaded version of the files:


gpg --verify VeraCrypt_1.18.dmg{.sig*,}


The message displayed should say the signature used key ID 54DDD393 (make sure it's the key ID found from above!) and is good and from VeraCrypt Team .

Similar instructions apply for Linux, but install GnuPG and GPG from your system's package management system instead.

Similarly for Windows, but you'll have to figure out how to install GPG yourself --- see the Tor project's manual on doing that (that's what helped me piece together the above):
https://www.torproject.org/docs/verifying-signatures.html.en


After all was written above and done, I found VeraCrypt's instructions hidden away at the bottom of a page without mention of what to install and such, but here it is anyway:
https://veracrypt.codeplex.com/wikipage?title=Digital%20Signatures

No comments: