Download flagged as trojan

[haminhtrifree]

Virustotal shows your .exe download file as trojan for +10 scanning software man.

[EchterAlsFake]

Hi,

First of all, thanks for reporting this.

I've scanned the file too and for me 36 vendors flagged it as a trojan. I am shocked to be honest.

All my assets come directly from the GitHub CI/CD actions (except the android packages). As you (hopefully) can see in the workflow, there's no modifications on the source code when the CI/CD actions running.

If you don't trust me, we can go into a discord call and I show you how I download the asset from the releases of April 28 (the release o f Porn Fetch 3.3) and it will have the exact same hash as the releases shown in the downloads section.

I will investigate this issue and I will immediately contact Virustotal and ask them about this issue.

Please note, that I take this ABSOLUTELY serious...

Edit: (16:56 - 5th) I just sent an E-Mail to virus total. I'll post the result with a new commit as soon as I get an answer.

[EchterAlsFake]

The response from VirusTotal:

"""
Hello Johannes,
Thank you for reaching out to us.
VirusTotal only aggregates data from a variety of vendors. We produce no verdicts of our own and as such, we can’t modify these results. We are not intended to be an authoritative reputation engine, but rather provide intelligence and context to users so that they can make the best decision. 1/60 and even 5/60 doesn’t automatically mean “Bad”, and 0/60 doesn't always mean good. Each decision on whether something is malicious is ultimately the responsibility of users or the security vendors who use the data to improve their services.
If you believe your file is being flagged incorrectly, you will need to reach out to the specific security vendors that are flagging it. You can find a list of vendor contacts and more information on our website:
https://docs.virustotal.com/docs/false-positive-contacts
Please note that we cache some scan results. If the vendors have confirmed removal but your file is still detected, please reach out to us along with evidence that the vendor has removed your file from their blacklist, as we may be able to speed up propagation.
You could also try re-uploading and scanning the file again.
"""

So, as you can see there's not much I can do, but I did some research and here are the things that will change.

1. I will sign every uploaded asset file using PGP and the Windows SignTool
2. I will always activate code commit signing, so that everyone can verify, that a commit really comes from me.

(Like a hacker would need to get access to my AES encrypted external SSD and then even get the password for the key)

3. I will analyze my files and check which specific parts got flagged by the Antivirus software and I will try to use different code mechanisms.

The important part:

I will change the repositories workflow to make the release assets compiled by GitHub CI/CD publicly available. With this, everyone can verify the two hashes of the compiled file by GitHub (which is technically impossible for me to modify) and the uploaded file (which I could modify, but if the hashes match, it's clear that I didn't do this).

[EchterAlsFake]

Update:

I have now implemented a mechanism into the build scripts, so that every new release of Porn Fetch will be built from source and the compiled release will be visible for everyone. This will additionally also show the SHA 512 hash of every file.

With this everyone is able to 100% verify that I did NOT modify the files. This gives everyone who can read code a guarantee that the downloaded file is not modified by a third party.

Explanation:

The GitHub CI/CD actions are a seperate virtual machine which allows a repository owner to automate tasks such as creating releases, merging pull requests or in my case compiling source code to a binary file. The script which creates this process is publicly available in my repository source code under ".github/workflows/"

While this workflow is running I am not able in any way to interact with it. This means that I can't change code or modify files on the system. So it's technically not possible for me to modify anything. The hash at the end for every file is digitally unique to this file. This means, that if the hash of the compiled file by the GitHub CI/CD and the file which will be in my release matches, than it's 100% the same in any way.