VeraCrypt

Hash Doesn't Match Original Dev Files

Asked by Daniel.Escobar

Apologies for my lack of knowledge if I make an obvious question just trying to learn with your help.
I've checked the files in veracrypt's ppa maintained by ~unit193 but the version available doesn't match any of the original files for Debian nor Ubuntu available in Veracrypt.fr website. The file listed by 'apt-cache show' is veracrypt_1.26.7-0vanir1~bpo22.04_amd64.deb which hash doesn't match anything released from the devs. Can anyone provide info on the origin of this file and how can we trust it?

Question information

Language:
English Edit question
Status:
Solved
For:
VeraCrypt Edit question
Assignee:
No assignee Edit question
Solved by:
Daniel.Escobar
Solved:
Last query:
Last reply:
Revision history for this message
Jürgen Gmach (jugmac00) said : 		#1

Daniel, could you please add a link to the PPA you are referring to? Thank you!

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

probably https://launchpad.net/~unit193/+archive/ubuntu/encryption

It does not make sense to check the packages from a Ubuntu PPA against the checksums or signatures for packages on the veracrypt.fr web page. They will always differ, e.g. because of different dates and version strings mentioned in the change logs.

Revision history for this message
Daniel.Escobar (daniel-della-notte) said : 		#3

Thanks for the quick answer Jürgen and Manfred. Yes, it's that PPA, and again pardon my ignorance, but how users can check the files haven't been modified beyond just the date and version strings?

For example is I do an apt-get download veracrypt it only downloads the .deb file but not the .deb.asc file so I cannot compare the PGP against the original published by the devs.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

There is no simple way to verify whether the package from the PPA has got the same contents as the software provided on the veracrypt.fr web pages, because they have been prepared in different ways, e.g. using different zipping algorithms.

The Ubuntu repositories and PPAs don't use *.deb and *.deb.asc files for signature checking, but different mechanisms, and these are automatically executed by the package management system (e.g. by the apt command).

Revision history for this message
Daniel.Escobar (daniel-della-notte) said (last edit ): 		#5

Thanks for the additional information. So far what I managed to learn with the help of ChatGPT, and please correct me if I'm wrong, is that ultimately verifying the integrity of a package relies on checking it against the GPG signature provided by the repository creator.

This method ultimately relies on the reputation and trustworthiness of the repository creator. In my opinion this is an inferior method of verification than the one provided by Archlinux for example where you can verify the hash of the package against the original files provided by the devs. Here the trust factor is out of the equation and again, in my humble opinion, that is vital in very sensitive software like Veracrypt where you don't want any type of backdoor. In the case of Veracrypt the PPA is trustworthy as it's listed in the devs' website as a third party resource but the method in itself is a bit flawed.

So far this has been enlightening to learn about Debian based distros like Ubuntu and it has decreased their quality in my eyes.