

Ask HN: How can I securely install Truecrypt on OS X? - MarkMc

I want to download an install Truecrypt on OS X 10.9.  Unfortunately, the Mac installer available on the Truecrypt website is not signed the way that OS X installers are normally signed.  Instead, I need to use the PGP method described on this page:
http:&#x2F;&#x2F;www.truecrypt.org&#x2F;docs&#x2F;digital-signatures<p>So the problem then becomes: How can I securely install a program to check PGP signatures?  I&#x27;ve come across 3 options, each with problems:<p>1. Download the GnuPG source zip file and check the SHA-1 checksum as described here:
http:&#x2F;&#x2F;www.gnupg.org&#x2F;download&#x2F;index.html
But isn&#x27;t it possible for a &#x27;man in the middle&#x27; to tamper with the download while still producing the same SHA-1 checksum?<p>2. Download the Mac installer from this site:
http:&#x2F;&#x2F;gpgtools.org&#x2F;
But it is signed by someone called &#x27;Lukas Pitschl&#x27; who I&#x27;ve never heard of and so cannot trust.<p>3. Download the Macports installer and install GnuPG as described here:
http:&#x2F;&#x2F;www.mattnworb.com&#x2F;post&#x2F;16019918033&#x2F;how-to-verify-a-pgp-signature-with-gnupg
But the Macports OS X installer is signed by Robert Mercer - again, this is someone I have never heard of and cannot trust.<p>So how can I install Truecrypt securely without trusting someone I&#x27;ve never heard of?
======
philtar
1) The probability of someone producing the a different download with the same
checksum is 1 / 2^80

2) Then why trust the truecrypt guys?

3) Then why trust the truecrypt guys?

The only way to achieve the level of security you're looking for is to
download the truecrypt source code, audit it and then compile it and use that.

