* Update Language.ro.xml
1. Made some more corrections.
2. Also on line 1543 there is an 'Options >' > ... I did not find anywhere 'Options >' is this maybe about key="IDC_MOUNT_OPTIONS">Mount Opti&ons...</entry>
* Update Language.ro.xml
* Update Language.ro.xml
Final edit
Prefer sudo when available and fall back to doas on Unix. Run doas authentication through a PTY while keeping service communication on stdin/stdout pipes, and use a no-fork service mode for the doas path.
Keep doas authentication terminal descriptors close-on-exec and close the slave descriptor after attaching it as the controlling terminal. Preserve startup diagnostics through stderr until service synchronization completes, then redirect no-fork service stderr away from the closed parent pipe.
Use noninteractive privilege-helper auth checks for both sudo and doas so cached, nopass, or persisted sessions do not need an unnecessary VeraCrypt password prompt. Keep the PTY password path for doas when authentication is required.
Use a shared Unix DOAS_USER helper for FUSE and mount ownership, backed by getpwnam_r and guarded so non-OpenBSD platforms only trust it for VeraCrypt's internal doas no-fork service path. Detach asynchronous child-reaper threads to avoid leaking joinable pthread handles.
Keep the historical auto-mount behavior as the first attempt when the user did not request a filesystem type. If that mount fails on Linux, detect the filesystem with blkid and retry only for FAT-family types that minimal mount implementations may not auto-probe.
Leave explicit filesystem types and NTFS kernel-driver resolution unchanged.
CoreMacOSX::CheckFilesystem() ignored both its mountedVolume and repair
arguments and always just launched Disk Utility.app, so the "Check
Filesystem" and "Repair Filesystem" menu items behaved identically and
neither acted on the mounted volume. On Linux/BSD the same operation runs
fsck and honors the flag (passing -n only when repair is false).
Run diskutil on the VeraCrypt virtual device, choosing verifyVolume or
repairVolume per the flag (diskutil unmounts the inner filesystem itself
as needed). The Core layer has no GUI, so the result is shown in a
Terminal window via a temporary .command script; it falls back to
launching Disk Utility.app when no virtual device is available.
Run the macOS check in the unprivileged application process. VeraCrypt does
not need to create or launch the helper script from the elevated core
service: diskutil operates on the mounted virtual device and macOS handles
any device authorization requirements. Once a device-hosted mount has
started the elevated core service, every later service request is routed to
that root process. There it would create the helper script as root (0700)
and open a Terminal in the GUI session that the user could neither read nor
execute. CoreServiceProxy::CheckFilesystem now invokes the core
implementation directly on macOS instead of sending a service request, so
the script is always owned by the GUI user.
The device path is strictly validated as /dev/[r]diskN[sM] before being
single-quoted into the command. The helper script is created securely in
the per-user temp directory via mkstemps() (atomic O_EXCL/0600, fchmod
0700 by descriptor, close() checked for deferred write errors, unlinked on
any failure) rather than at a predictable, enumerable path in the
world-writable /tmp, guarding against a symlink/race on the executed
script. A trap removes the script on exit even if the window is closed
early, and it is also unlinked if launching Terminal fails. The script
captures $? so diskutil's result, including failures, is shown before the
script exits.
Replace the macOS pre-check message (which still told the user Disk
Utility would open and to pick Verify/Repair manually) with check- and
repair-specific text describing the new automatic diskutil flow.
Seed the two new strings into all translation files with the English
text so the XML key-completeness check passes; localization can follow.
Co-authored-by: Damian Rickard <damian@rickard.us>
On macOS, Process::FindSystemBinary() searched /usr/local/bin first, so a
user-writable /usr/local/bin (the default on Homebrew installs) could
shadow system tools.
This resolver is also used to locate privileged binaries during privilege
elevation: CoreService.cpp resolves "sudo" (and "true") through it both
when probing for an active sudo session and when launching the elevated
helper, and the admin password is written to that sudo process's stdin.
On a typical Homebrew install /usr/local is owned by the (non-root) user,
so a planted /usr/local/bin/sudo would be selected ahead of /usr/bin/sudo
and could capture the admin password, leading to privilege escalation.
Reorder the macOS list to {/usr/bin, /bin, /usr/sbin, /sbin,
/usr/local/bin} so system locations always win. The binaries actually
resolved through this function on macOS (sudo, true, fsck, the terminal
helper used for filesystem checks and its dependencies, and non-APFS
formatters) live in system directories, so /usr/local/bin is kept only as
a last-resort fallback and can no longer shadow them. (diskutil, hdiutil
and newfs_apfs are invoked via absolute paths and were never affected.)
Co-authored-by: Damian Rickard <damian@rickard.us>
Persist a macOS-only preference for disabling wx content protection while keeping protection enabled by default.
Add a Preferences checkbox that reuses IDC_DISABLE_SCREEN_PROTECTION and reapply the protection state after preference changes.
Apply content-protection updates to all current top-level wx windows so changing the preference while a modal dialog is active does not leave the main frame or other windows with stale protection state.
Separate sudo authentication success from elevated request execution state by acknowledging when the elevated core service starts successfully.
Once that channel is available, propagate later failures instead of showing repeated administrator password dialogs. Initialize the sudo dummy-password flag consistently on macOS, avoiding an uninitialized read of UseDummySudoPassword.
Register admin-password cleanup before elevation attempts so plaintext sudo credentials are erased on early-return and post-sudo failure paths.
References #1788.
Normalize menu separators in language XML files
Replace raw > characters in language entry text with the XML entity >,
and normalize remaining -> menu separators to > for consistency with the
existing language files.
The runtime text remains unchanged for escaped > characters because the
language parsers decode XML entities when loading strings.
Do not package veracrypt-symbolic.svg under hicolor symbolic icons, as KDE may prefer it for AppIndicator tray items and render a black monochrome icon.
Remove the obsolete symbolic icon during generic installer upgrades and refresh the hicolor icon cache after install or uninstall cleanup.
Validate SecureBoot firmware data before trusting fallback selection and mark the unsupported-db helper as noreturn.
Record unsupported Secure Boot db refusals in EFI loader diagnostics, and avoid stale rescue-disk prompts after a refusal.
Reuse the central EFI loader selection policy for elevated signing-support checks instead of duplicating fallback/refusal logic.
Translate unsupported Secure Boot db failures across elevation without duplicate generic dialogs, surface stored-PIM refresh failures, and log unattended loader update failures.
Favorite auto-mount on arrival could repeatedly report an unavailable drive letter when the configured letter was occupied by a non-VeraCrypt device. Classify this case before entering the mount path and use a non-modal notification during arrival scans.
Track letter conflicts separately from successfully mounted arrival favorites so a failed mount is suppressed while the host remains connected without being treated as mounted, and without triggering a delayed mount just because the letter is later freed.
Snapshot the arrival favorites list before mount attempts because modal UI can process device-change messages that reload favorites. Also fix a device-removal pointer typo that advanced the broadcast-volume pointer instead of the mounted-volume path.
Skip desktop/MIME cache refresh for console installers, where no desktop integration files are installed.
Guard update-mime-database and update-desktop-database calls so minimal systems without desktop-file-utils do not print post-install errors.
Apply the same best-effort cache refresh behavior to FreeBSD generic scripts for parity.
Also fix the FreeBSD uninstall script to remove the per-resolution PNG icons from /usr/local/share/icons, matching where they are installed.
Detect whether the active firmware Secure Boot db trusts the Microsoft Corporation UEFI CA 2011 before selecting the 2011-signed EFI loader set.
Abort with a clear diagnostic when Secure Boot is enabled but neither the 2011 CA nor the required 2023 CA pair is trusted, and document the CA requirements.
Preserve positive CA detection when malformed db data appears only after a supported Microsoft CA set has already been found, while recording the parse error in diagnostics.
Refs #1778.
Install staged /usr child directories by merging their contents into existing destination directories instead of replacing them. This preserves /usr/sbin symlinks to bin on merged-/usr distributions while keeping traditional layouts working.
Fixes issue: https://github.com/veracrypt/VeraCrypt/issues/1764
The hdiutil `-plist` output used for mount/dismount device discovery
(MountAuxVolumeImage and UpdateMountedVolumeInfo) was parsed with a
hand-rolled string scanner that assumed the value always follows the
requested key and that <key>/<string> pairs appear in a fixed order.
Replace it with the CoreFoundation property-list API
(CFPropertyListCreateWithData + dictionary/array navigation), which is
correct by construction and robust to hdiutil output ordering/variation.
An RAII helper (CFHolder) ensures CFRelease on every path.
Behavior is preserved: prefer the system-entity that carries a
mount-point, otherwise fall back to the first dev-entry, and match disk
images by normalized image-path. CoreFoundation is already linked on
macOS (via Cocoa), so no build changes are needed.
Verified end-to-end on Apple Silicon: mounting parses `hdiutil attach`
output and dismount parses `hdiutil info` output correctly.
Co-authored-by: Damian Rickard <damian@rickard.us>
Record EFI bootloader resource set changes during PostOOBE refreshes and mark a machine-wide rescue disk reminder.
Show the reminder on VeraCrypt startup using the existing generic rescue disk prompt and Create Rescue Disk flow.
Accept Argon2 and Argon2id aliases through HashGetIdByName so Windows mount parsing matches volume creation. Update Windows command-line documentation in English, Russian, and Chinese, and rebuild the CHM user guides.
Keep Argon2 symbols internal unless explicitly exported so VeraCryptFormat.dll exposes only the SDK API.
Add Argon2id/BLAKE2b aliases for the SDK hash selector and update the public header comment to reflect the supported KDF/hash set.
* Honor --no-size-check when creating file containers via the CLI
The text-mode volume creation path clamps the maximum allowed volume
size to the available free disk space and never consults
ArgDisableFileSizeCheck, so the documented --no-size-check switch has no
effect when creating a file-hosted container with `--text --create`.
The flag is honored by the GUI wizard (Forms/VolumeSizeWizardPage.cpp)
but was missing from the text UI, making it impossible to create a
(sparse) container larger than the current free space from the command
line -- even though such a container is perfectly valid on filesystems
with sparse-file support (e.g. APFS, ext4, NTFS) and is exactly what the
flag exists to allow.
Skip the free-space clamp when --no-size-check is set, mirroring the GUI
behavior.
* Fix max volume size handling with no-size-check
Keep the max size sentinel and interactive max choice bounded by available disk space even when --no-size-check allows explicit sparse container sizes beyond the current free space.
---------
Co-authored-by: Damian Rickard <damian@rickard.us>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>
The privileged CoreService handler for SetFileOwnerRequest passed the
client-supplied path straight to chown() as root with no validation --
unlike the adjacent APFS formatter handler, which strictly validates its
device argument. Every legitimate macOS caller of the elevated
SetFileOwner targets a real disk device node (/dev/[r]diskN[sM]), so a
crafted IPC request, or a symlink planted at the target, could otherwise
make the root process change ownership of an arbitrary path.
Validate the target service-side: require the strict device-path form
already used by the formatter, and lstat() it to confirm a block or
character device (rejecting symlinks rather than following them) before
the chown.
Co-authored-by: Damian Rickard <damian@rickard.us>
The Blake2b hash class (BLAKE2b-512) was fully implemented but never
registered in Hash::GetAvailableAlgorithms(), so it was absent from the
Random Pool Enrichment, Keyfile Generator and Benchmark dialogs on
Linux/macOS. In particular, when Argon2 is selected as the volume PRF,
the RNG pool hash is set to BLAKE2b-512, but the Random Pool Enrichment
dialog could neither display nor pre-select it, diverging from Windows
which offers BLAKE2b-512 in the same dialog.
Register Blake2b after Streebog (matching the Crypto.c PRF order). Its
64-byte digest divides RNG_POOL_SIZE (320), so the HashMixPool size
constraint holds, and blake2b.o is always built in non-wolfCrypt builds.
Also make Pkcs5Kdf::GetAlgorithm(const Hash&) Argon2-aware by removing
the unconditional skip of the Argon2 KDF, so a BLAKE2b-512 hash now maps
to the Argon2 KDF instead of throwing.