flux2
flux2 copied to clipboard
Checksum fails for chocolatey package v0.31.1 & triggers alert for embedded trojan in microsoft defender
Describe the bug
got this error when trying to install on windows 10, possibly windows defender is altering the file due to afalse? positive on trojan: Trojan:Script/Oneeva.A!ml in file: C:\Users___\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip
error: Downloading flux 64 bit from 'https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip' Progress: 100% - Completed download of C:\Users\Joost\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip (15.05 MB). Download of flux_0.31.1_windows_amd64.zip (15.05 MB) completed.
Unhandled Exception: System.IO.IOException: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) at checksum.Program.Main(String[] args) ERROR: Checksum for 'C:\Users\xxxx\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip' did not meet '85C4B7D47DC081CAEEF31F3FCED20D25FE3FCCFB8ABB061C97131B9F8FC02043' for checksum type 'SHA256'. Consider passing the actual checksums through with --checksum --checksum64 once you validate the checksums are appropriate. A less secure option is to pass --ignore-checksums if necessary. The install of flux was NOT successful. Error while running 'C:\ProgramData\chocolatey\lib\flux\tools\chocolateyinstall.ps1'. See log for details.
Chocolatey installed 0/1 packages. 1 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Steps to reproduce
choco install flux
Expected behavior
flux correctly installed
Screenshots and recordings
No response
OS / Distro
windows 10
Flux version
v0.31.1
Flux check
NA
Git provider
No response
Container Registry provider
No response
Additional context
No response
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Please file an issue in https://github.com/JimPruitt/chocolatey-packages, which is the source of the Chocolatey package. Once we publish a binary, things Windows (or the package manager) does with it is out of our control.
I get the same if I download https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip direct (ie issue is with the release, not the chocolatey package)
I get the same if I download https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip direct (ie issue is with the release, not the chocolatey package)
Same here. The defender link is https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aScript%2fOneeva.A!ml&threatid=2147729349
v0.31.2 doesn't trigger this (note it's not on chocolaty yet), and VirusTotal says it's clean.
This is an old issue with Go binaries, various antivirus solutions get confused especially if you embed cryptographic package like Age and OpenPGP which are used in ransomware. I would close this issue as there is nothing we can do about it.