I think Veracrypt has been hacked? Fingerprint has been changed!
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
I just downloaded Veracrypt from https://www.veracrypt.fr/en/Downloads.html
I calculated the fingerprint of the .tar.bz2 file and of the sha512sum file. The calculated fingerprint is 5069A233D55A0EEB174A5FC3821ACD02680D16DE.
After calculating the fingerprint, I always google (or DuckDuckGo) it. There are only two results from Google.
Results:
https://www.veracrypt.fr/en/Downloads.html
https://www.softantenna.com/softwares/6936-veracrypt
Usually, there are a lot more. One of the sites that I verify from:
https://security.stackexchange.com/questions/181014/how-to-verify-certificate-fingerprint
The fingerprint there is
993B7D7E8E413809828F0F29EB559C7C54DDD393
The change I have noticed from the Veracrypt page is that there is a new version (1.23) released 2 days ago. I downloaded Veracrypt around 2 days ago (cannot remember exactly when) and the fingerprint was validated by third party sources. Correct me if I am wrong, but the fingerprint should not be changed between releases for whatever reason unless the private key was compromised and they created a new one (not mentioned in the release notes). Also, a compromised private key would have me concerned.
Any input from you guys would be appreciated.
Last edit: blip 2018-09-13
https://www.veracrypt.fr/en/Digital%20Signatures.html mentions that there is a new fingerprint post-1.22
Why is this? How can we verify that the website has not been hacked?
I won't touch the new version until this issue is resolved.
Last edit: blip 2018-09-13
The developer explains the change in the anouncement at the top of each section and the sticky in the General Discussion section. Thread shown below.
https://sourceforge.net/p/veracrypt/discussion/general/thread/fcd0da57/