Veracrypt Project Update

https://sourceforge.net/p/veracrypt/discussion/general/thread/9620d7a4b3/

156•super256•2h ago

Comments

dizhn•1h ago

Microsoft disabled the developer's certificate so no windows releases can be made.

jonathanstrange•48m ago

As someone who is just planning to publish signed desktop software for Windows, this is deeply worrying. What reasons could there be for cancelling a certificate, especially when it has been used for years and the identity is already established?

Are there some ways to combat such decisions legally?

politelemon•34m ago

This is a concern and risk that has realised itself multiple times over the past decades. There have been multiple stories linked to multiple developers in the past.

If you publish to any closed platform including ios, mac, win, android, this is the risk you run and a condition of operating you will need to accept.

shelled•17m ago

Realistically speaking - anything could be a reason. A shakedown or blocking based on some "nudge" (this might come across as tin-foiled though). Some flag/trip-wires going wrong, more worryingly due to a bug/false alarm - and this is more worrying because in this case semi-incompetent large orgs like MSFT find it really hard to accept it, fix, and move on. Some change in OP's account that either they don't see or haven't realised - some edge case, you never know.

And of course, it doesn't affect their earnings and there are no consequence, or significant, so they won't care and won't respond or tell what went wrong.

Can one move legally? Sure. But then it effectively is a combo of who blinks first and who can hold their breath longer.

technion•1m ago

There's more to it. Signed desktop software can be signed by any CA.

Veracrypt has kernel drivers. Microsoft's ability to control what you can sign is specific to kernel drivers, and Microsoft's trigger finger around bans exists in the world where bad drivers BSOD machines.

In general this isn't your problem.

ErroneousBosh•1h ago

Jesus, sourceforge is still on the go?

SXX•1h ago

Might be it even not using all your code to train AI. Or at least not asking your explicit permission to do it.

karel-3d•55m ago

sourceforge was always very scummy, I think they would definitely use the code for that if they could

mbreese•32m ago

It wasn’t always scummy… but there was a definite shift after they got bought. It’s kept getting worse since then.

Then again, this was something like 20 years ago. Back then, Sourceforge was something closer to GitHub today. It was the de facto public source repository. You could even get an on-premise version, IIRC.

Actually, this is sounding a lot like GitHub these days… not sure what that means.

JimDabell•23m ago

Not every conversation has to be a conversation about AI.

egorfine•1h ago

And unfortunately some projects exclusively use sourceforge. Which breaks some of my CI pipelines.

kome•21m ago

yeah, it just works

firen777•1h ago

It's like LibreOffice all over again: https://www.neowin.net/news/microsoft-bans-libreoffice-devel...

pogue•1h ago

They need to get some tech site like Arstechnica to write about it, like they did when neocities couldn't get ahold of bing. The only way to contact these tech companies to speak to a real human being and not a chatbot is if you know somebody who works there or if the media writes about it.

CR1337•30m ago

I blew the lid on X today:

https://x.com/i/status/2041698657368703484

ninjagoo•38m ago

Looks like Linux and some of the BSDs are the only remaining truly open OSes.

nixpulvis•35m ago

We need a better way to sign and verify software. Clearly companies like Microsoft and Apple have not been good for the open source communities and are inhibiting innovation.

PunchyHamster•33m ago

Just add code cert generation to letsencrypt, it's not like MS validates the code that you sign used certs from them anyway

mr_mitm•18m ago

What would be the point? How would you prevent malware from being signed? Currently, code signatures are used as a signal for trustworthiness of the code.

Eldt•6m ago

Misplaced trustworthiness?

iamniels•15m ago

We need better OSes such that signing of software is not required to keep your computer safe.

speedgoose•27m ago

It's perhaps naive, but could he create a new organisation, like a "TotallyNotVeraCrypt" French loi 1901 association, at a different address, and create a new microsoft account by making sure it passes all the requirements.

orbital-decay•3m ago

That's what VeraCrypt is, a fork of the original TrueCrypt after all drama, security doubts, and eventual discontinuation. It took a long time and two independent audits to establish trust in it.

RandomGerm4n•19m ago

That's especially ridiculous because this whole security mechanism that Microsoft is forcing on Windows user doesn't even work. There are tons of leaked certificates and on forums dedicated to game hacking you can find guides on how to get your hands on one yourself. People there use them to write kernel drivers for cheating in games. Game developers often blacklist these in their anti-cheat software so that the game no longer launches on a computer using a driver with that certificate. Microsoft however does not do this and malware developers can then simply use the certificates for their own purposes. So all this nonsense is basically just a restriction on regular users and honest developers while the “bad guys” can get around it.

shelled•14m ago

I am somewhat also concerned that this software was still being distributed on SourceForge.

_s_a_m_•11m ago

Microsoft doing everything in their power to be assholes, as always

krylon•1m ago

As much as I like bashing Microsoft, never underestimate people's capacity for incompetence, especially where large organizations are involved. I don't see how they would gain anything from this move.

C's Biggest Mistake

What "Open" Means: Abliterating Gemma 4 in 24 Minutes

VR Undermines the Laws of the Internet

The World Needs More Software Engineers

ELI: Programming with Arrays [pdf]

Fairwords NPM packages compromised by credential worm stealing tokens and

I've Sold Out

Your data stack is about to get a lot more contributors

Lunar Gateway or Moon Direct? (2019)

Show HN: The 323, a 32-bit computer in Conway's Game of Life

Make Every Click Count with Real-Time Personalization

Mario and Earendil

Volunteers turn a fan's recordings of 10K concerts into an online treasure trove

Grokking the MariaDB test runner (MTR)

Apple is running out of A18 Pro chips for the MacBook Neo

Active Incident with Atlassian Services

Developing Creative Identity

Show HN: Rootcx.com – open-source AI agents and internal software

Hindsight Simulator: Go back in time and get rich

OpenAI Doubling Down on Text Models, Shifting Strategies to Superapp Plan

Show HN: SharpSkill – We built the future of AI coding interviews

AI-Ready Modular Data Center Slashes Deployment Time

Aether – Auto-extract entities and build a knowledge graph from any URL

Passgen-Moz

The Git Commands I Run Before Reading Any Code

Is Entire.io hype or is it the future of GitHub?

Failing the Fix (2026): Grading laptop and cell phone companies on fixability

Škoda DuoBell: A bicycle bell that penetrates noise-cancelling headphones

UK's grand plan to fuel AI with public data faces uphill battle

I made this to enhance the surfing experience