Checksum fails for chocolatey package v0.31.1 & triggers alert for embedded trojan in microsoft defender

[dejoost]

Describe the bug

got this error when trying to install on windows 10, possibly windows defender is altering the file due to afalse? positive on trojan: Trojan:Script/Oneeva.A!ml in file: C:\Users___\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip

error: Downloading flux 64 bit from 'https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip' Progress: 100% - Completed download of C:\Users\Joost\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip (15.05 MB). Download of flux_0.31.1_windows_amd64.zip (15.05 MB) completed.

Unhandled Exception: System.IO.IOException: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) at checksum.Program.Main(String[] args) ERROR: Checksum for 'C:\Users\xxxx\AppData\Local\Temp\chocolatey\flux\0.31.1\flux_0.31.1_windows_amd64.zip' did not meet '85C4B7D47DC081CAEEF31F3FCED20D25FE3FCCFB8ABB061C97131B9F8FC02043' for checksum type 'SHA256'. Consider passing the actual checksums through with --checksum --checksum64 once you validate the checksums are appropriate. A less secure option is to pass --ignore-checksums if necessary. The install of flux was NOT successful. Error while running 'C:\ProgramData\chocolatey\lib\flux\tools\chocolateyinstall.ps1'. See log for details.

Chocolatey installed 0/1 packages. 1 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Steps to reproduce

choco install flux

Expected behavior

flux correctly installed

Screenshots and recordings

No response

OS / Distro

windows 10

Flux version

v0.31.1

Flux check

NA

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[hiddeco]

Please file an issue in https://github.com/JimPruitt/chocolatey-packages, which is the source of the Chocolatey package. Once we publish a binary, things Windows (or the package manager) does with it is out of our control.

[earldata]

I get the same if I download https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip direct (ie issue is with the release, not the chocolatey package)

[rnett]

I get the same if I download https://github.com/fluxcd/flux2/releases/download/v0.31.1/flux_0.31.1_windows_amd64.zip direct (ie issue is with the release, not the chocolatey package)

Same here. The defender link is https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aScript%2fOneeva.A!ml&threatid=2147729349

[rnett]

v0.31.2 doesn't trigger this (note it's not on chocolaty yet), and VirusTotal says it's clean.

[stefanprodan]

This is an old issue with Go binaries, various antivirus solutions get confused especially if you embed cryptographic package like Age and OpenPGP which are used in ransomware. I would close this issue as there is nothing we can do about it.