Bill Ricker wrote: > ​From what Steve Gibson said, the "new" key was gotten early enough it > would have been well before current incident​ -- if malicious, would > show significant premeditation.
No, the keys in question are GnuPG keys and unless someone has figured out a key collision the GnuPG key used to sign the 7.1a binaries is the same GnuPG key used to sign the 7.2 binaries. There is no "new" key. Ignore the warnings; that's because I haven't signed the key on my key ring. [ratinox@chihiro: Desktop]$ gpg --verify TrueCrypt-7.2.exe.sig gpg: Signature made Tue, May 27, 2014 12:58:45 PM EDT using DSA key ID F0D6B1E0 gpg: Good signature from "TrueCrypt Foundation <cont...@truecrypt.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0 [ratinox@chihiro: Desktop]$ gpg --verify TrueCrypt\ Setup\ 7.1a.exe.sig gpg: Signature made Tue, Feb 07, 2012 3:56:28 PM EST using DSA key ID F0D6B1E0 gpg: Good signature from "TrueCrypt Foundation <cont...@truecrypt.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0 [ratinox@chihiro: Desktop]$ You can verify that the key fingerprint is correct for yourself. -- Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
