It might happen that a TrueCrypt installation package you download from our server was created or modified by an attacker. For example, the attacker could exploit a vulnerability in the server software we use and alter the installation packages stored on the server, or he/she could alter any of the files en route to you.
Therefore, you should always verify the integrity and authenticity of each TrueCrypt distribution package you download or otherwise obtain from any source. In other words, you should always make sure that the file was created by us and it was not altered by an attacker. One way to do so is to verify so-called digital signature(s) of the file.
We currently use two types of digital signatures:
X.509 signatures have the following advantages, in comparison to PGP signatures:
PGP signatures have the following advantages, in comparison to X.509 signatures:
Please note that X.509 signatures are currently available only for the TrueCrypt self-extracting installation packages for Windows. An X.509 digital signature is embedded in each of those files along with the digital certificate of the TrueCrypt Foundation issued by a public certification authority. To verify the integrity and authenticity of a self-extracting installation package for Windows, follow these steps:
To verify a PGP signature, follow these steps:
By Andrew Y. (@andryou) - no affiliation with TrueCrypt - fair use - site for non-monetary, reference purposes only