Hi Claudio,

Thank you for posting this in here, and sorry for trying to get you into
a discussion on a mailing list again (I'll CC you, as I understand
you're not currently subscribed).
Great, thanks! In what way is that Windows machine "auditable"? Isn't
it a third-party machine that we know little about? I'm also concerned
about the third-party link redirect service and third-party file
download hosting service (even if same company as the CI service where
we build these). Anyway, this is better than nothing for those
knowingly accepting the risk, so I've just added such links to:

https://openwall.info/wiki/john/custom-builds

Even though I didn't verify these downloads in any way (beyond my https
client checking the certificate's validity, which passed), I've just
added copies to:

https://download.openwall.net/pub/projects/john/contrib/windows/

which is linked not only from our wiki, but also from JtR homepage:

https://www.openwall.com/john/#contrib

Since the original filenames were non-informative, I've renamed the
files as follows:

mv win_x64.zip john-1.8.0.13-jumbo-b7eae75d7-win64.zip
mv lib_x64.zip john-1.8.0.13-jumbo-b7eae75d7-win64-libs.zip

My intent is to enable people to download this specific revision, which
will hopefully be reasonably usable for a while, without incurring the
risk of using third-party build, download, and link redirect services
for each additional download. (That risk would have been incurred just
once: when this specific build was made and when I downloaded it.)

Since my trust in these unofficial builds is limited, I am not
PGP-signing them. Unfortunately, this also means that if our server is
compromised, we might serve compromised downloads with no easy way for
users to detect that.

Ideally, we should be making builds that we could trust, and would be
willing to sign.
Most relevant is this comment:

https://github.com/magnumripper/JohnTheRipper/issues/3191#issuecomment-404051085

"arcfide commented on Jul 11

Okay, I got this fixed up. If you see claudioandre-br's comment, that's where ICD Vendor files are mentioned. He also gives a working example of a build that seems to work. I've got this working now on the current build.

It doesn't require any hard hacks, but I did figure out that the OpenCL drivers with Cygwin don't work without an ICD Vendor file. That means that there has to be a location to find such files. That means that the OpenCL support works on Windows if you run JtR from inside of a Cygwin installation.

To make this work for me on Windows, I installed Cygwin with OpenCL, and then created the /etc/OpenCL/vendors/nvidia.icd file that included the Cygwin path to nvopencl.dll mentioned above. After I did that, I ran JtR from inside of the Cygwin Terminal, which mounts and makes available the /etc/ directory. That has fixed things, and I can now see all of my devices and I can run JtR on the GPU with the appropriate speedups."

Claudio, I notice that your win_x64.zip includes:

33 08-09-18 18:42 etc/OpenCL/vendors/amd.icd
33 08-09-18 18:42 etc/OpenCL/vendors/nvidia.icd

BTW, somehow it also includes what's probably a left-over from testing:

99286 08-09-18 18:43 run/john.log
355 08-09-18 18:43 run/john.pot
Thanks. I also took this opportunity to add more links to your Ubuntu
snap package, which you also documented in there.

Alexander