[Pas2js] Pas2js 1.4.0RC2
silvioprog
silvioprog at gmail.com
Mon Feb 18 22:00:46 CET 2019
On Mon, Feb 18, 2019 at 3:21 PM Mattias Gaertner via Pas2js <
pas2js at lists.freepascal.org> wrote:
> On Mon, 18 Feb 2019 11:04:04 -0700 (MST)
> warleyalex via Pas2js <pas2js at lists.freepascal.org> wrote:
>
> > hey look at this picture: https://ibb.co/hDBFYRy
> >
> > Avast has moved "pas2js.exe" version 1.4.0RC2 - the suspect
> > win32:evo-gen
>
> According to www.virustotal.com only 3 of 68 scanners find pas2js.exe
> unsafe.
>
> I reported it as false alarm. Let's see what avast will do.
>
> Mattias
I have a question in the same context regarding security. Is there any
HTTPS link to download the official Pas2JS binaries or some GPG signature
for each one to check them when downloaded via FTP? :-) If you have the GPG
on the server, just perform the detach sign for each package, e.g:
$ gpg --detach-sign pas2js-linux-1.4.0RC2.zip
$ gpg --detach-sign pas2js-windows-1.4.0RC2.zip
$ gpg --detach-sign pas2js-macos-1.4.0RC2.zip
it will generate the files pas2js-linux-1.4.0RC2.zip.sig,
pas2js-macos-1.4.0RC2.zip.sig and pas2js-windows-1.4.0RC2.zip.sig, so we
could use them. For example, supposing they were signed using my public key
(available at keyserver here
<https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=index&search=0xACDEB1EB9330106D5D8F98053BFD572FA16D239A>
):
$ wget -c
ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip
$ wget -c
ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip.sig
$ gpg --verify pas2js-linux-1.4.0RC2.zip.sig pas2js-linux-1.4.0RC2.zip
gpg: Signature made Mon 18 Feb 2019 05:45:12 PM -03
gpg: using RSA key ACDEB1EB9330106D5D8F98053BFD572FA16D239A
gpg: Good signature from "Silvio Clecio (silvioprog) <silvioprog at gmail
dot com>" [ultimate]
when the file is corrupted, it reports someting as following:
$ gpg --verify pas2js-linux-1.4.0RC2.zip.sig pas2js-linux-1.4.0RC2.zip
gpg: Signature made Mon 18 Feb 2019 05:45:12 PM -03
gpg: using RSA key ACDEB1EB9330106D5D8F98053BFD572FA16D239A
gpg: BAD signature from "Silvio Clecio (silvioprog) <silvioprog at gmail
dot com>" [ultimate]
A pure FTP is unsafe, so a binary could be corrupted/infected when it is
being downloaded, but signing the files will make them safe and sane some
av's false positives.
best,
--
Silvio Clécio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/pas2js/attachments/20190218/25cdfa4f/attachment.html>
More information about the Pas2js
mailing list