1 Moderate, 3 low, 2 N/A-severity issues.
Make sure to update Picocrypt!
Should mention this audit on the website too @redoomed1 @jonah
6 Likes
He said he fixed most issues in the latest version and the others arenāt all that problematic. Picocrypt is finally getting a security audit! Follow progress here. Ā· Issue #32 Ā· Picocrypt/Picocrypt Ā· GitHub
However, the report itself states that they should try to get re-tested to ensure these fixes didnāt result in additional vulnerabilities.
Unless you have (another) $3k to spare, I donāt think a retest is practical 
The changes are minor and logical ā I donāt think a retest is needed.
5 Likes
I see what you mean, apparently open source code and skills in understanding it throws off a lot of issues, discussions on GitHub and open dialog contribute to this.
I would like to draw your attention to the fact that this community is developing, growing, quite predictable and logical scenario is an increase in the number of users with starting knowledge, letās say newbies.
Most of them have not yet discovered registering on GitHub, it will be too early for them to engage in dialogs there, they will be able to understand the code only later.
If you want your product to get the coverage it deserves and due, acceptance, word of mouth.
It would be nice, and Iām speaking respectfully now, not to give the audit a chance to add a spoonful of tar to the honey barrel.
As for the financial question.
It may be reasonable in some cases to allow the community to support the project in the format of a
ādonation section for upcoming audits selected by Privacy Guidesā
(this is a very raw idea, improvisation)
- The donation section for the audit sounds fun.
- Sounds weird, auditing is the developersā job.
0
voters
2 Likes
Hey Evan, thanks for the audit 
Is there an updated picocrypt paranoid pack with the changes - mainly interested in the added Rand.Read()? Where would I find it, the new repo under Picocrypt, or your old repo?
And for PCC -003, would there be a way to check if an existing encrypted file suffered from a trivial key error?
Thanks
I agree. I support FOSS, and if the software maintainers of a project need a security audit (for security critical software) and are community driven, Iāll throw down some money.
Am helping a group of seniors with basic Digital Security needs and have recommended Picocrypt for saving backup codes locally.
I have a person who is not able to download the MacOs version ā¦ says itās broken ā¦ He is using a small MacBook, but I donāt know the version yet ā¦
Do you have any suggestions ?
On the site it mentions using a scrypt but my understanding was not for this issue.
No issues with everyone else ā¦
Thanks
I just checked the download link for macOS and it works for me, are you sure he checked the right website? The link is here: GitHub - Picocrypt/Picocrypt: A very small, very simple, yet very secure encryption tool.
Itās not broken, they havenāt been reading the description most likely:
If they have an old Intel Mac they need to go here:
1 Like
Hello Valynor,
This is the screenshot, related to the damaged file downloaded from GiHub on an older Mac and a new iMac ā¦
I wish instructions on these damned sites were better made for mere mortals and not just programmers ā¦
there is a list of files to download for Mac with no explanation ā¦
Most of the time I would just keep walking from such sites but I really like this little app and am using to teach to seniors ā¦ please help me here !
Thanks
Old INTEL macs need this file:
https://github.com/HACKERALERT/Picocrypt/releases/download/1.34/Picocrypt-x86_64.dmg
New APPLE SILICON macs need this one:
https://github.com/Picocrypt/Picocrypt/releases/download/1.43/Picocrypt.dmg
You install this like any other macOS .dmg file, just double click it and drag to Apps folder.
The dev did not pay Apple to sign the app so in both cases you need to follow these instructions directly after the install:
You need to manually trust the app from a terminal:
xattr -d com.apple.quarantine /Applications/Picocrypt.app
^Open the terminal app and copy&paste this command. It takes Picocrypt out of āquarantineā and the app will run normally after that.
1 Like
Any mobile client in the future? Is that even possible? Sorry, laymen here.
It can, but for small files.
1 Like
Thank you again for your help ...
I followed your instructions, and on a new iMac, the same issue occurred in spite of using the command in the Terminal after downloading from the proper link you have sent ...
See screenshot ...
ML
They must be doing something wrong. 
Iām using Picocrypt myself, I had to do the command-line thing too and it works fine.
āWorks on my machineĀ©ā
1 Like
Hello again Valynor,
I downloaded from the link you gave me onto a new iMac.
Usually when an app like this is downloaded, the app itself shows up beside an Applications folder icon, on the Desktop and with the arrow pointing, you drag it over and thatās the end of the story. In this case that did not happen, so I did it manually and the Picocrypt app then was put in the Applications folder.
I enacted the command line code, and the first time it didnāt work ,because I did it before Picocrypt was inside the Applications folder. Once I did that, the the command line code went through. because there were no error messages as previously.
I then double clicked on the app, which was on his desktop and the same " broken message " came up, with the directive to drop this hot potato into the trash ! ( same screenshot as before ), so didnāt add a new one
So, thatās where I am at today. What now brown cow ? And now I have a lineup of people with the same issue !
Respectfully,
ML
Please read this article:
macOS Sequoia changed some things about unnotarized apps.
Picocrypt is not broken despite what the screenshot says, this is just the OS being (somewhat) overly protective.
I installed Picocrypt before the update to Sequioa so for me just entering that command line worked. It appears you might have to allow the app in system settings manually, too.
Thank you for your help AND your patience !!
Good Sunday to you ā¦
ML
1 Like
A new version of Picocrypt is out, hereās how I installed it:
-double clicked the .dmg file
-manually dragged the .app into the Applications folder
-double clicked the .app ā¦ got the error popup
-opened the Terminal and pasted
xattr -d com.apple.quarantine /Applications/Picocrypt.app
and pressed enter
-Picocrypt now works for me