<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">On Mon, Feb 18, 2019 at 3:21 PM Mattias Gaertner via Pas2js <<a href="mailto:pas2js@lists.freepascal.org" target="_blank">pas2js@lists.freepascal.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 18 Feb 2019 11:04:04 -0700 (MST)<br>
warleyalex via Pas2js <<a href="mailto:pas2js@lists.freepascal.org" target="_blank">pas2js@lists.freepascal.org</a>> wrote:<br>
<br>
> hey look at this picture: <a href="https://ibb.co/hDBFYRy" rel="noreferrer" target="_blank">https://ibb.co/hDBFYRy</a><br>
> <br>
> Avast has moved "pas2js.exe" version 1.4.0RC2 - the suspect<br>
> win32:evo-gen<br>
<br>
According to <a href="http://www.virustotal.com" rel="noreferrer" target="_blank">www.virustotal.com</a> only 3 of 68 scanners find pas2js.exe<br>
unsafe. <br>
<br>
I reported it as false alarm. Let's see what avast will do.<br>
<br>
Mattias</blockquote><div><br></div><div>I have a question in the same context regarding security. Is there any HTTPS link to download the official Pas2JS binaries or some GPG signature for each one to check them when downloaded via FTP? :-) If you have the GPG on the server, just perform the detach sign for each package, e.g:</div><div><br></div><div><font face="monospace, monospace" size="1">$ gpg --detach-sign pas2js-linux-1.4.0RC2.zip<br></font></div><div><font face="monospace, monospace" size="1">$ gpg --detach-sign pas2js-windows-1.4.0RC2.zip<br></font></div><div><font face="monospace, monospace" size="1">$ gpg --detach-sign pas2js-macos-1.4.0RC2.zip</font><br></div><div><br></div><div>it will generate the files <font face="monospace, monospace" size="1">pas2js-linux-1.4.0RC2.zip.sig</font>, <font face="monospace, monospace" size="1">pas2js-macos-1.4.0RC2.zip.sig</font> and <font face="monospace, monospace" size="1">pas2js-windows-1.4.0RC2.zip.sig</font>, so we could use them. For example, supposing they were signed using my public key (available at keyserver <a href="https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=index&search=0xACDEB1EB9330106D5D8F98053BFD572FA16D239A" target="_blank">here</a>):</div><div><br></div><div><font face="monospace, monospace" size="1">$ wget -c <a href="ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip" target="_blank">ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip</a></font></div><div><font face="monospace, monospace" size="1">$ wget -c <a href="ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip.sig" target="_blank">ftp://ftpmaster.freepascal.org/fpc/contrib/pas2js/1.4.0RC2/pas2js-linux-1.4.0RC2.zip.sig</a><br></font></div><div><font face="monospace, monospace" size="1">$ gpg --verify pas2js-linux-1.4.0RC2.zip.sig pas2js-linux-1.4.0RC2.zip<br></font></div><div><div><font face="monospace, monospace" size="1">gpg: Signature made Mon 18 Feb 2019 05:45:12 PM -03</font></div><div><font face="monospace, monospace" size="1">gpg: using RSA key ACDEB1EB9330106D5D8F98053BFD572FA16D239A</font></div><div><font face="monospace, monospace" size="1">gpg: <font color="#274e13">Good</font> signature from "Silvio Clecio (silvioprog) <silvioprog at gmail </font><span style="font-family:monospace,monospace;font-size:x-small">dot </span><span style="font-family:monospace,monospace;font-size:x-small">com</span><span style="font-family:monospace,monospace;font-size:x-small">>" [ultimate]</span></div></div><div><br></div><div>when the file is corrupted, it reports someting as following:</div><div><br></div><div><div><font face="monospace, monospace" size="1">$ gpg --verify pas2js-linux-1.4.0RC2.zip.sig pas2js-linux-1.4.0RC2.zip</font></div><div><font face="monospace, monospace" size="1">gpg: Signature made Mon 18 Feb 2019 05:45:12 PM -03</font></div><div><font face="monospace, monospace" size="1">gpg: using RSA key ACDEB1EB9330106D5D8F98053BFD572FA16D239A</font></div><div><font face="monospace, monospace" size="1">gpg: <font color="#ff0000">BAD</font> signature from "Silvio Clecio (silvioprog) <silvioprog at gmail dot com>" [ultimate]</font></div></div><div><br></div><div>A pure FTP is unsafe, so a binary could be corrupted/infected when it is being downloaded, but signing the files will make them safe and sane some av's false positives.</div><div><br></div><div>best,</div><div><br></div></div>--<br><div dir="ltr" class="m_2504658017953229556m_188932774870756434gmail-m_4657802452889342539gmail_signature"><div dir="ltr"><div>Silvio Clécio</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>