How to verify this package

[stefansundin]

Someone asked this on another website, so I figured it would be helpful to have a page to direct people to whenever this question comes up.

How can I verify that there isn't anything nefarious added to this build?

Here's my best understanding on how to do that. If anyone knows of a simpler way to do this verification then please post a comment below.

Get the inputs used in a Launchpad build

You can easily download all of the inputs used in a Launchpad build. In this example I will use the build of 7.1a-16: https://launchpad.net/~stefansundin/+archive/ubuntu/truecrypt/+sourcepub/16509116/+listing-archive-extra

The three input files are:

• truecrypt_7.1a.orig.tar.gz - The TrueCrypt source code. It should match the source code released by the TrueCrypt Foundation.
• truecrypt_7.1a-16.debian.tar.xz - Everything used for the packaging, including patches written by me and others, are contained in this archive.
• truecrypt_7.1a-16.dsc - Some information about the build input: checksums of the two files above, and a signature from me.

The other .deb files are the output files. By going to the individual builds for each architecture, you can also download the full build log to see the output from all of the steps performed by the builder.

It is my understanding that networking is disabled during builds to ensure no other inputs can be introduced.

Verify the TrueCrypt source code

First you need to verify that truecrypt_7.1a.orig.tar.gz hasn't been modified. You need to find a trusted source of the official TrueCrypt 7.1a source code for Linux. Perhaps you downloaded it from truecrypt.org when that website was still up, and you've kept it since then.

I used TrueCrypt 7.1a Source.tar.gz from https://github.com/AuditProject/truecrypt-verified-mirror.

$ sha256sum *.tar.gz
e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc  truecrypt_7.1a.orig.tar.gz
e6214e911d0bbededba274a2f8f8d7b3f6f6951e20f1c3a598fc7a23af81c8dc  TrueCrypt 7.1a Source.tar.gz

Here you can see that the file used in the Launchpad build is exactly the same as the file distributed by the TrueCrypt foundation.

As an added exercise you can also use TrueCrypt 7.1a Source.tar.gz.sig and TrueCrypt-Foundation-Public-Key.asc to verify that this file was signed by them.

Verify the debian files

$ tar xvJf truecrypt_7.1a-16.debian.tar.xz
debian/
debian/.vagrant/
debian/.vagrant/machines/
debian/.vagrant/machines/default/
debian/.vagrant/machines/default/virtualbox/
debian/.vagrant/machines/default/virtualbox/action_provision
debian/.vagrant/machines/default/virtualbox/action_set_name
debian/.vagrant/machines/default/virtualbox/box_meta
debian/.vagrant/machines/default/virtualbox/creator_uid
debian/.vagrant/machines/default/virtualbox/id
debian/.vagrant/machines/default/virtualbox/index_uuid
debian/.vagrant/machines/default/virtualbox/private_key
debian/.vagrant/machines/default/virtualbox/synced_folders
debian/.vagrant/machines/default/virtualbox/vagrant_cwd
debian/.vagrant/rgloader/
debian/.vagrant/rgloader/loader.rb
debian/README.md
debian/Vagrantfile
debian/changelog
debian/compat
debian/control
debian/copyright
debian/docs
debian/mount.truecrypt
debian/patches/
debian/patches/series
debian/patches/truecrypt-7.1a-build-fixes.patch
debian/patches/truecrypt-7.1a-gcc5.patch
debian/patches/truecrypt-7.1a-gcc6.patch
debian/patches/truecrypt-7.1a-gui-fixes.patch
debian/patches/truecrypt-7.1a-helpfix.patch
debian/patches/truecrypt-7.1a-indicator.patch
debian/patches/truecrypt-7.1a-open-doc.patch
debian/patches/truecrypt-7.1a-update-urls.patch
debian/patches/truecrypt-7.1a-wxWidgets.patch
debian/patches/truecrypt-7.1a-xdg-open.patch
debian/pkcs11/
debian/pkcs11/pkcs11.h
debian/pkcs11/pkcs11f.h
debian/pkcs11/pkcs11t.h
debian/rules
debian/source/
debian/source/format
debian/source/include-binaries
debian/truecrypt-autostart.desktop
debian/truecrypt-cli.prerm
debian/truecrypt-indicator.png
debian/truecrypt.1
debian/truecrypt.bash-completion
debian/truecrypt.desktop
debian/truecrypt.prerm
debian/truecrypt.sharedmimeinfo

Listed above are all the files in truecrypt_7.1a-16.debian.tar.xz.

Let's go through the interesting files:

• The .vagrant directory was accidentally included. I'm going to try to add something to prevent this from happening in future builds. These files should not affect the build. They are created when you use vagrant and the Vagrantfile to build the package.
• The patches directory contains patches that are applied to the source code. Please review these closely for anything nefarious.
• The pkcs11 directory contains files required for the PKCS 11 functionality in TrueCrypt. According to the README.md file I downloaded these from ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/. I have no idea if that server is still accessible, but I found another mirror: https://ftp.acc.umu.se/mirror/archive/ftp.sunet.se/pub/security/docs/PCA/PKCS/ftp.rsa.com/pkcs-11/v2-20/

  $ sha256sum *.h debian/pkcs11/*
  5ae6a4f32ca737e02def3bf314c9842fb89be82bf00b6f4022a97d8d565522b8  pkcs11f.h.h
  1563d877b6f8868b8eb8687358162bfb7f868104ed694beb35ae1c5cf1a58b9b  pkcs11.h.h
  8ce68616304684f92a7e267bcc8f486441e92a5cbdfcfd97e69ac9a0b436fb7b  pkcs11t.h.h
  5ae6a4f32ca737e02def3bf314c9842fb89be82bf00b6f4022a97d8d565522b8  debian/pkcs11/pkcs11f.h
  1563d877b6f8868b8eb8687358162bfb7f868104ed694beb35ae1c5cf1a58b9b  debian/pkcs11/pkcs11.h
  8ce68616304684f92a7e267bcc8f486441e92a5cbdfcfd97e69ac9a0b436fb7b  debian/pkcs11/pkcs11t.h

  This shows that they haven't been modified.
• Files used during development and not used in the Launchpad build:
  • README.md
  • Vagrantfile
• You should review all other files yourself.

Conclusion

Hopefully performing this verification yourself will put your mind at ease.

If you followed the instructions above and found anything questionable then please post a comment below. Please also post a comment if you followed them and DIDN'T find anything!

If you want absolute security then you should build TrueCrypt yourself.