Is it possible for someone to modify keepass code, recompile and make it available for free download?

Question

I am concerned about the possibility to download a fake keepass upgrade.

If possible this would allow many ways to get private data on keepass files!

For example, keepass hacked or modified code could send the kbdx file by ftp to a server in China or in Crimea! Or hacked keepass could send the kbdx file attached in email in a thank you note to keepass developers...

Is this possible?

Yes it's possible. It happened to FileZilla earlier this year. — Adi, Mar 26 '14 at 14:05

score 5 · Answer 1 · answered Oct 30 '15 at 10:51

To reduce the risk you can

double check the source of your download (webiste url, https etc)
verify the download with his keyprint (provided by the author).

"KeePass can be downloaded from many mirror servers. If you want to check if the offered files are verified by the KeePass authors (i.e. official and original files), you can hash the downloaded file using the hash computation utility of your choice (you can try one of these utilities: Visual Hash Calculator, ReHash, MD5sums) and see if the hashes match."
http://keepass.info/integrity.html

On keepass.info download page you will find (at the bottom) the links to do that: Hash Sums Verifying your download: Hash Sums, OpenPGP Signatures, .NET Public Keys

Is it possible for someone to modify keepass code, recompile and make it available for free download?

1 Answers1