[Discuss] TrueCrypt EOL, what's next?

Sun Jun 1 08:19:16 EDT 2014

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Bill Bogstad
> 
> Why
> bother to get a new key
> if you are going to just stop using it soon anyway?

The "new" code signing cert was issued in late 2012.  The binary I have archived came from early 2012.

Actually, it gets a little more interesting than that - 

At one company that I support, I recently discovered, that I downloaded and archived the truecrypt installer late 2013.  It is literally the same exact binary that I downloaded at home, early 2012.  It seems, they continued distributing the same binary unmodified for years after the code signing cert expired, despite the fact that they had already acquired an updated cert.

To me, this adds substantiation to the rumors that the TC developers just don't want to maintain anymore.

Along similar lines:  http://truecrypt.ch 

The truecrypt 7.1a.exe binary they are distributing is binary equivalent to the ones I have.  So I can attest they are untampered.  And if you download, you'll see, it's signed Feb 2012.

$ md5sum.exe *.exe
7a23ac83a0856c352025a6f7c9cc1526 *TrueCrypt Setup 7.1a.exe

$ sha1sum.exe *.exe
7689d038c76bd1df695d295c026961e50e4a62ea *TrueCrypt Setup 7.1a.exe

I also downloaded the source on 3/6/2012.  It's just been sitting there - I didn't realize until the beginning of this email, that there had been no code changes in the last couple of years, and I assumed until this minute, that my archived source code was probably extremely stale.  But now I realize, it's probably the latest greatest version.

I don't expect anything will happen to me, but just in case, I encourage you all to grab a copy:
https://dl.dropboxusercontent.com/u/543241/TrueCrypt%207.1a%20Source.zip 
MD5 (TrueCrypt 7.1a Source.zip) = 3ca3617ab193af91e25685015dc5e560
SHA1 (TrueCrypt 7.1a Source.zip ) = 4baa4660bf9369d6eeaeb63426768b74f77afdf2

I have been searching for people on the net that have the source, and so far, haven't been satisfied.  There is a project called fauxfaux, but when I diff their code against my archived tar, it has some differences.  They may be fine, I haven't really dug into it much, but the existence of differences was enough for me to say, I'm not yet satisfied.