Digital Signatures Why Verify Digital Signatures It might happen that a TrueCrypt installation package you download from our server was created or
modified by an attacker. For example, the attacker could exploit a vulnerability in the server
software we use and alter the installation packages stored on the server, or he/she could alter any
of the files en route to you.
Therefore, you should always verify the integrity and authenticity of each TrueCrypt distribution
package you download or otherwise obtain from any source. In other words, you should always
make sure that the file was created by us and it was not altered by an attacker. One way to do so
is to verify so-called digital signature(s) of the file.
Types of Digital Signatures We Use We currently use two types of digital signatures:
•
PGP signatures (available for all binary and source code packages for all supported
systems).
•
X.509 signatures (available for binary packages for Windows).
Advantages of X.509 Signatures X.509 signatures have the following advantages, in comparison to PGP signatures:
•
It is much easier to verify that the key that signed the file is really ours (not attacker’s).
•
You do not have to download or install any extra software to verify an X.509 signature (see
below).
•
You do not have to download and import our public key (it is embedded in the signed file).
•
You do not have to download any separate signature file (the signature is embedded in the
signed file).
Advantages of PGP Signatures PGP signatures have the following advantages, in comparison to X.509 signatures:
•
They do not depend on any certificate authority (which might be e.g. infiltrated or controlled
by an adversary, or be untrustworthy for other reasons).
