29 August 2019

VeraCrypt download: how to verify its PGP signature

VeraCrypt's download page has a link to a clear explanation on how to verify its download.  But I noticed the PGP signature/key has changed since version 1.22.

They've also since moved their website from the old Codeplex page to the new download page here: https://www.veracrypt.fr/en/Downloads.html

VeraCrypt is apparently sponsored by IDRIX (https://www.idrix.fr) and you can verify the new PGP signature/key from them too: https://www.idrix.fr/Root/content/category/7/32/60/

Their open source development has moved to GitHub where you can see when PGP signature/key update occurred: https://github.com/veracrypt/VeraCrypt/commit/3e25b07646fdb5f01f48da329b91b0553f54a396


On Macs
Make sure Homebrew is installed (or else you can install these yourself from source).

brew install gnupg
brew install gpg2

Get VeraCrypt PGP key ID from:
https://www.idrix.fr/Root/content/category/7/32/60/

In the terminal, run the following with the VeraCrypt PGP Key ID you got above:

gpg --recv-keys 0x680D16DE

That should import the public key and say "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393)" etc.

gpg --fingerprint 0x680D16DE

That should display the key fingerprint, which you should compare with the key fingerprint that's posted on:
https://www.idrix.fr/Root/content/category/7/32/60/
and on:
https://www.veracrypt.fr/en/Digital%20Signatures.html

Now to verify your download, run the following in Terminal for your downloaded version of the files:

gpg --verify veracrypt-1.23-setup.tar.bz2{.sig*,}

The message displayed should say the signature used key ID 0x680D16DE (make sure it's the key ID found from above!), or that the primary key fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE (matching the fingerprints from the above links).

And it should say the signature is a "Good signature" from the VeraCrypt Team.

That's it!


On Linux or Windows

Similar instructions apply for Linux, but install GnuPG and GPG from your system's package management system instead.

You can see similar instructions for setting up VeraCrypt on Kubuntu here.

Similarly for Windows, but you'll have to figure out how to install GPG yourself --- see the Tor project's manual on doing that (that's what helped me piece together the above):
https://www.torproject.org/docs/verifying-signatures.html.en