-
-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download flagged as trojan #40
Comments
Hi, First of all, thanks for reporting this. I've scanned the file too and for me 36 vendors flagged it as a trojan. I am shocked to be honest. All my assets come directly from the GitHub CI/CD actions (except the android packages). As you (hopefully) can see in the workflow, there's no modifications on the source code when the CI/CD actions running. If you don't trust me, we can go into a discord call and I show you how I download the asset from the releases of April 28 (the release o f Porn Fetch 3.3) and it will have the exact same hash as the releases shown in the downloads section. I will investigate this issue and I will immediately contact Virustotal and ask them about this issue. Please note, that I take this ABSOLUTELY serious... Edit: (16:56 - 5th) I just sent an E-Mail to virus total. I'll post the result with a new commit as soon as I get an answer. |
The response from VirusTotal:""" So, as you can see there's not much I can do, but I did some research and here are the things that will change.
(Like a hacker would need to get access to my AES encrypted external SSD and then even get the password for the key)
The important part:I will change the repositories workflow to make the release assets compiled by GitHub CI/CD publicly available. With this, everyone can verify the two hashes of the compiled file by GitHub (which is technically impossible for me to modify) and the uploaded file (which I could modify, but if the hashes match, it's clear that I didn't do this). |
- All new releases of Porn Fetch will now be built from source and be visible by everyone with its checksum Checksum: SHA-512
Update: I have now implemented a mechanism into the build scripts, so that every new release of Porn Fetch will be built from source and the compiled release will be visible for everyone. This will additionally also show the SHA 512 hash of every file. With this everyone is able to 100% verify that I did NOT modify the files. This gives everyone who can read code a guarantee that the downloaded file is not modified by a third party. Explanation: The GitHub CI/CD actions are a seperate virtual machine which allows a repository owner to automate tasks such as creating releases, merging pull requests or in my case compiling source code to a binary file. The script which creates this process is publicly available in my repository source code under ".github/workflows/" While this workflow is running I am not able in any way to interact with it. This means that I can't change code or modify files on the system. So it's technically not possible for me to modify anything. The hash at the end for every file is digitally unique to this file. This means, that if the hash of the compiled file by the GitHub CI/CD and the file which will be in my release matches, than it's 100% the same in any way. |
Virustotal shows your .exe download file as trojan for +10 scanning software man.
The text was updated successfully, but these errors were encountered: