gltfpack-windows.zip v0.21 identified as trojan by Windows

[wolfyllow]

I guess it's a false positive, but Windows identifies gltfpack-windows.zip from release v0.21 as a thread.

[zeux]

Fairly sure this is a false positive; these occasionally happen.

FWIW:

1. gltfpack-windows.zip has MD5 438a7cb4582e908824f938ecda249b6d and SHA256 ef2e680c7a1bf8c4c4c8c4e72d875cbec20ca8052901a3a3e4986f4a9ff64e8a
2. Here's a VirusTotal report for the same SHA256: https://www.virustotal.com/gui/file/ef2e680c7a1bf8c4c4c8c4e72d875cbec20ca8052901a3a3e4986f4a9ff64e8a - no AV detects any issues here.
3. The releases are built directly on GitHub Actions (https://github.com/zeux/meshoptimizer/blob/master/.github/workflows/release.yml), this specific binary was built in this run https://github.com/zeux/meshoptimizer/actions/runs/9666824300
4. The .zip files are uploaded without repackaging from GitHub, precisely to make sure there's a paper trail
5. The builds (including build above) run on GitHub hosted infrastructure, so that's managed by Microsoft and presumably free of malware.

I've submitted the .zip file to Microsoft with a note that they are incorrectly classifying it. You can search github for the reported name here and there's a bunch of other projects that run into the same issue; I assume this specific signature is just broken in Defender.

[zeux]

FWIW I also don't see the issue on my copy of Windows 11 (definition files from 6/21/2024). I would double check that the files are downloaded correctly, you can compute SHA256 using PowerShell's Get-FileHash.

[wolfyllow]

Awesome. Thanks for the whole explanation. Knowing the building pipeline gives even more credibility to the safety of the project.

Thanks also for sharing the SHA256 of the .exe file. I confirm it's the same as the one I downloaded.