<div>
It is just saying as long as the download package hashes matches the hashes listed in below trusted site, then the files are indeed as-is and not malicious. There are sites that spoof the actual package and may be malicious when downloaded. <br />
<a href="https://defuse.ca/truecrypt-7.1a-hashes.htm" rel="ugc">https://defuse.ca/truecrypt-7.1a-hashes.htm</a><br />
<br />
You can easily use a hash calculator to compute the hash and compare against the trusted list. The hash can be either SHA256, or SHA1. I suggest you fixed with using SHA256 in your hash calculator to compute and check the hash strings. See tool<br />
<a href="http://www.mcafee.com/sg/downloads/free-tools/hash-calculator.aspx" rel="ugc nofollow">http://www.mcafee.com/sg/downloads/free-tools/hash-calculator.aspx</a><br />
<br />
Also you can have the exe or hash of the exe or package uploaded in the Virustotal to check if there is any AV reporting their scan has once detected it malicious - see past scan below <br />
<a href="https://www.virustotal.com/en/file/e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2/analysis/1431421999/" rel="ugc">https://www.virustotal.com/en/file/e95eca399dfe95500c4de569efc4cc77b75e2b66a864d467df37733ec06a0ff2/analysis/1431421999/</a>
</div>


<div>
We download and installed calculator but how can we use it? I created a fiddler folder, but what's next?
</div>


<div>
The next thing is to use tool to compute the hash. But look like to make it easier for you, can consider online to upload the file or another tool to specified the file dest. See<br />
<br />
<a href="http://hash.online-convert.com/sha256-generator" rel="ugc">http://hash.online-convert.com/sha256-generator</a><br />
<a href="https://sourceforge.net/projects/quickhash/" rel="ugc">https://sourceforge.net/projects/quickhash/</a><br />
<br />
Once this alright also need some pgp tool to verify TC its .sig file or for windowa verify ita digital signature. See<br />
<br />
<a href="https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/" rel="ugc">https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/</a><br />
<br />
<a href="https://gpgtools.tenderapp.com/discussions/problems/10359-truecrypt-pgp-key-verification#comment_28129801" rel="ugc">https://gpgtools.tenderapp.com/discussions/problems/10359-truecrypt-pgp-key-verification#comment_28129801</a>
</div>


<div>
Don't understand. &nbsp;You gave us a link to view trucrypt hash which we assume it will be used with the link to download a calculator which created a fiddler folder but what do we have to do? &nbsp;We went thru your last links and can't relate or to the previous links. &nbsp;Are we to use the resultas of the previous links with the latest links?
</div>


<div>
You download the Truecrypt file. <br />
<br />
As the fiddler plugin hash calculator does not allow file (except only string) to be hashed, it will not used in your case.<br />
<br />
You then need to download quickhash or just use the online hash.convert to upload the file to generate SHA256.<br />
<br />
You can then compare the generated SHA256 string with the stated hash string in defuse.ca. If the string matches, it means the package is not tamper or corrupted.<br />
<br />
You can then proceed to verify the .sig which I shared in below <br />
<a href="https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/" rel="ugc">https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/</a><br />
<br />
Hopes this helps.
</div>


<div>
When you say &quot;just use the online hash.convert to upload the file to generate SHA256&quot;, you mean the link you have previously (<a href="http://hash.online-convert.com/sha256-generator)?" rel="ugc">http://hash.online-convert.com/sha256-generator)?</a>
</div>


<div>
Thanx. &nbsp;Lastly when you say &quot;You can then proceed to verify the .sig which I shared in below&quot;, where do find the .sig?
</div>


<div>
Pls see <a href="https://github.com/DrWhax/truecrypt-archive" rel="ugc">https://github.com/DrWhax/truecrypt-archive</a>&nbsp;which also has even earlier version as well
</div>


<div>
Checked it but where it says how to verify the .sig? (tell where to look we can't located it)
</div>


<div>
There is mention on how to verify the signature - see <br />
How to Verify X.509 Signatures<br />
How to Verify PGP Signatures<br />
<br />
<a href="https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/" rel="ugc">https://www.truecrypt71a.com/documentation/miscellaneous/digital-signatures/</a>
</div>


<div>
There is a lot of read there (sorry we are in a bit of emergency), but do you know the exact steps?<br />
(If you its ok we find a way)
</div>


<div>
<div class="content wysiwyg-content">
We read in a TrueCrypt <a href="https://www.grc.com/misc/truecrypt/truecrypt.htm" rel="ugc">link</a> to verifying the TrueCrypt v7.1a Files hash to make sure that if we downloaded the correct or legit version of the apps. &nbsp;The link states, and the purpose of our question, that &nbsp;“Many sites attempt to assert the authenticity of the files they offer by posting their cryptographic hash values”. &nbsp;We’ve read the link and its reference links within, but can’t quite grasp the process of verifying TrueCrypt hash. &nbsp;So, as always, turning to EE; how do we do this process of “verifying”?
</div>
</div>


We read in a TrueCrypt link (https://www.grc.com/misc/truecrypt/truecrypt.htm) to verifying the TrueCrypt v7.1a Files hash to make sure that if we downloaded the correct or legit version of the apps.  The link states, and the purpose of our question, that  “Many sites attempt to assert the authenticity of the files they offer by posting their cryptographic hash values”.  We’ve read the link and its reference links within, but can’t quite grasp the process of verifying TrueCrypt hash.  So, as always, turning to EE; how do we do this process of “verifying”?

Verifying the TrueCrypt hashes

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.

Encryption

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.