How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries

That's amazing work. Well done to the author.

This is a great first step but we're not done yet. It proves the binaries are built from the published code, but only when the published code has been thoroughly vetted can we conclude there is no backdoor.

&quot;TrueCrypt is a project that doesn&#x27;t provide deterministic builds.&quot;<p>Why? What is the benefit of doing so when everyone wants a deterministic build?

Just a slightly off-topic question, but WTF does TC require VC 1.52 for?

I am just shooting into darkness, but would not it be easier to compile it twice and diff outcomes to find found out what parts are being changed so those can be ruled out?

it seems to me that the relaxed gpg key verification that the author uses doesn&#x27;t give us any more assurances regarding the authenticity of the source than a simple hash offered on the website would. i think in this situation, if the author did not intend to attempt more rigorous verification of the truecrypt pgp key, at least cross-checking that the key offered on the site matches the key offered on a public key server pgp.mit.edu for example would be prudent before signing the truecrypt key with your own.<p><pre><code> Import the .asc file in the keyring (File &gt; Import certificates). Now you should mark the key as trusted: right click on the TrueCrypt Foundation public key in the list under Imported Certificate tab &gt; Change Owner Trust, and set it as I believe checks are casual. You should also generate your own key pair to sign this key in order to show you really trust it and get a nice confirmation when verifying the binary.</code></pre>

I get the point reg. verifying the Windows-Compiling-Build, but wouldn&#x27;t the same verification on an open source platform allow for even easier (maybe even automatic) verification?<p>How about an vmware&#x2F;vbox image setup explicitly for that purpose? Not feasible for windows due to licencing issues, i guess.<p>Also, huge kudos for the effort going into this work. Thanks!

&gt; TrueCrypt is not backdoored in a way that is not visible from the sources<p>... as long as you also trust the compiler not to introduce any backdoor... (cf. Reflections on Trusting Trust)

I entered just to say it&#x27;s an incredible work done by this guy... it&#x27;s been years since I analized a file on hex mode (from Norton Commander, jeje).

Please God, don&#x27;t let the author be working for the NSA. These days I get suspicious at every &quot;it&#x27;s all good&quot; piece of news.

Coolest post I&#x27;ve read today! Good work!

Kudos for effort.

Tldr: Binaries didn&#x27;t match, here&#x27;s some handwaving at the differences.