Request for comments: "Secure" releases - Any idea on how to resolve False positives on VirusTotal

sylikc / jpegview

Fork of JPEGView by David Kleiner - fast and highly configurable viewer/editor for JPEG, BMP, PNG, WEBP, TGA, GIF and TIFF images with a minimal GUI. Basic on-the-fly image processing is provided - allowing adjusting typical parameters as sharpness, color balance, rotation, perspective, contrast and local under-/overexposure.

Other

2.06k stars 120 forks source link

Request for comments: "Secure" releases - Any idea on how to resolve False positives on VirusTotal #113

Open sylikc opened 1 year ago

sylikc commented 1 year ago

So, I was perusing Reddit links about JPEGView and I noticed that there are a few mentions that 1.0.40 reported to be a virus in 7z form, but when someone re-zip'd it up, it was fine. Anyone have experience with this?

I'm thinking that now that there are regular "nightlies" built, and that the interest is picking up again, people would inevitably copy the source and possibly make modified installers, some of which are good, others are ... well, not so good.

The easiest way would obviously be code signing. But it costs $$$.
Would PGP signing releases be an alternative?
How about checksums of released binary files (inside the directory) which are then PGP signed?

What's the "industry" standard way that's widely accepted? I have seen lots of .sig files for releases of other projects... but I am still debating the best approach so people know what releases they're getting

pureby commented 1 year ago

Yes, virus false-positives for non-signed software is sadly an obstacle for free software distribution sometimes.

The easiest method to ensure your users are getting the official, unmodified packages is probably to simply publish SHA-256 checksums for installer/exe/zip/7z in the release notes on GitHub (or in a complementary checksums.txt file). Then simply include (a reference to) those checksums in README, on your website, and in package description in every repo you publish to.

Of course, this way you leave it up to the user to download the software from official sources and to do the referencing. But if you publish official versions to Winget, Chocolatey, Scoop, PortableApps, etc., at least you made your best effort to make your software easily accessible through popular repositories, and you provide users with a bulletproof way to quickly verify file integrity if so needed. Plus, it does not cost a penny.

pureby commented 1 year ago

Another idea just came to mind: since you have already improved the application significantly, and from what I can read from your posts you are re-thinking a lot of the defaults, settings, and there is even a totally new visual enhancement coming up, why not release the next major update (any time in the future) under a new name, something like JPEGview 2 or JPEGview Silk?

This will give you the benefit of discoverability from people searching for JPEGView and at the same time distinguish your product from the abandoned version (and other forks).

(Please excuse me for the wordplay on your username, it's just something that came to mind when thinking of an easy app name).