[Discuss] TrueCrypt EOL, what's next?

[richard.pieri at gmail.com (Richard Pieri)]

Bill Ricker wrote:
> ?From what Steve Gibson said, the "new" key was gotten early enough it
> would have been well before current incident? -- if malicious, would
> show significant premeditation. 

No, the keys in question are GnuPG keys and unless someone has figured
out a key collision the GnuPG key used to sign the 7.1a binaries is the
same GnuPG key used to sign the 7.2 binaries. There is no "new" key.
Ignore the warnings; that's because I haven't signed the key on my key ring.

[ratinox at chihiro: Desktop]$ gpg --verify TrueCrypt-7.2.exe.sig
gpg: Signature made Tue, May 27, 2014 12:58:45 PM EDT using DSA key ID
F0D6B1E0
gpg: Good signature from "TrueCrypt Foundation <contact at truecrypt.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0
[ratinox at chihiro: Desktop]$ gpg --verify TrueCrypt\ Setup\ 7.1a.exe.sig
gpg: Signature made Tue, Feb 07, 2012  3:56:28 PM EST using DSA key ID
F0D6B1E0
gpg: Good signature from "TrueCrypt Foundation <contact at truecrypt.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8  5538 E3BA 73CA F0D6 B1E0
[ratinox at chihiro: Desktop]$

You can verify that the key fingerprint is correct for yourself.

-- 
Rich P.