2019-08-29

VeraCrypt download: how to verify its PGP signature

Important Consideration:  Be sure to know your way around Bash in the terminal, and understand the concepts around GPG / PGP signatures, before using the instructions below.

These instructions are not intended for you if you don't know e.g. what a PGP signature verification is really for.

The steps here is really just a quick reference for you if you already know how to make GnuPG work, but maybe you don't remember the exact steps because, like me, you use it maybe once every 5 years... so you just need a quick reminder.


For better or more detailed instructions
: please look for the clear explanation on how to verify downloads from VeraCrypt's own official download page (here's the direct link to it).


Note that VeraCrypt has moved their website!

They've moved their website from the old Codeplex page to the new download page here: https://www.veracrypt.fr/en/Downloads.html

VeraCrypt is apparently sponsored by IDRIX (https://www.idrix.fr) and you can verify the new PGP signature/key from them too: https://www.idrix.fr/Root/content/category/7/32/60/

Their open source development has moved to GitHub where you can see when PGP signature/key update occurred: https://github.com/veracrypt/VeraCrypt/commit/3e25b07646fdb5f01f48da329b91b0553f54a396



On Macs
Make sure Homebrew is installed (or else you can install these yourself from source).  Then in the terminal, you can use these commands to install GnuPG and GPG:

brew install gnupg
brew install gpg2


Next, get VeraCrypt's PGP key ID from:
https://www.idrix.fr/Root/content/category/7/32/60/

It's probably a good idea to cross-reference different websites to ensure the PGP key you got is the right one.  There's a few links above to get you started if you want to do this.

Next, in the terminal, run the following command --- you should make sure the key I wrote below is in fact the VeraCrypt PGP Key ID you got from the link above (and do note the PGP signature/key has changed since version 1.22, in case you're verifying an older version):

gpg --recv-keys 0x680D16DE


That should import the public key and say "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393)" etc.  

Then run the following command in the terminal --- again, you should make sure the key I wrote below is in fact the correct and official VeraCrypt PGP Key ID:

gpg --fingerprint 0x680D16DE


That should display the key fingerprint in the terminal, which you should compare and ensure is the same as the key fingerprint that's posted on:
https://www.idrix.fr/Root/content/category/7/32/60/
and on:
https://www.veracrypt.fr/en/Digital%20Signatures.html 

Next step in verifying your download, run the following in the terminal for your downloaded version of the files:

gpg --verify veracrypt-1.23-setup.tar.bz2{.sig*,}


Obviously, I'm verifying version 1.23 here.  If you're looking at a different version, you should figure out how to modify this command above to verify whatever you downloaded.

The command above should cause a verification message to be displayed in the terminal.

That verification message should say the signature used key ID 0x680D16DE  --- again, you should make sure the key displayed is in fact the correct and official VeraCrypt PGP Key ID!

Alternatively, that message may state that the primary key fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE --- this should match the correct and official fingerprints found from the links above!

And it should also say the signature is a "Good signature" from the VeraCrypt Team.

That's it!

If during any of the above steps, an ID or fingerprint doesn't match, then something terrible has happened and it's probably a signal that the verification has failed (or some command was used incorrectly).


On Linux or Windows

Similar instructions apply for Linux, but install GnuPG and GPG from your system's package management system instead.

You can see similar instructions for setting up VeraCrypt on Kubuntu here.

Similarly for Windows, but you'll have to figure out how to install GPG yourself --- see the Tor project's manual on doing that (that's what helped me piece together the above anyway):
https://www.torproject.org/docs/verifying-signatures.html.en

 

Need More Help?

If you want more instructions, please look for the very clear explanation on how to verify downloads from VeraCrypt's own official download page (here's the direct link to it).

No comments: