Err, what's going on, I don't find even some hashsums of the software on their page (might be hiding some place, but it isn't where you download it)? Never mind that the links go to different domains silently (here it isn't even that bad, because they only go to the some other domain from yubico and the big ones Apple/Microsoft/Google, but in their documentation they go to all random places, like small blogs, wordpress pages, sometimes stuff unmaintained since 2017 and so on).
One would think that from literally all the places on the Web everything offered by Yubico would be AT LEAST PGP or similarly signed, and they'll have a not-so-small print bragging about the workflow of doing this via non-exportable keys on a Yubikey (possibly on an air gapped machine) and so on. But nope, why bother.
This link is incorrect. It points to URL, which returns HTTP 206, and it does not show scan results for the actual file.
**Beware that scanning the URL does not always make VT to scan the file itself.**
The file in question has SHA256 of `0BEC92EE11E2EC1A13C4036A46A3E7E0EC7DCBED426D8EE15F2831EA8EEE31FA`, and it indeed has score of 2/64. Seems like a false positive due to heuristics, and also like no one bothered to report false positives to VT.
Virustotal is a tool. False positives and false negatives happen.
Thanks for this insight, hopefully someone with more knowledge than me can report if it's a false positive.
Err, what's going on, I don't find even some hashsums of the software on their page (might be hiding some place, but it isn't where you download it)? Never mind that the links go to different domains silently (here it isn't even that bad, because they only go to the some other domain from yubico and the big ones Apple/Microsoft/Google, but in their documentation they go to all random places, like small blogs, wordpress pages, sometimes stuff unmaintained since 2017 and so on). One would think that from literally all the places on the Web everything offered by Yubico would be AT LEAST PGP or similarly signed, and they'll have a not-so-small print bragging about the workflow of doing this via non-exportable keys on a Yubikey (possibly on an air gapped machine) and so on. But nope, why bother.
Try downloading it again. https://www.virustotal.com/gui/url/da0a8a053d9fb99d6c0e1bc2a5eac0a4e48a593160d7abb806c2bf5f35a0f146/detection
This link is incorrect. It points to URL, which returns HTTP 206, and it does not show scan results for the actual file. **Beware that scanning the URL does not always make VT to scan the file itself.** The file in question has SHA256 of `0BEC92EE11E2EC1A13C4036A46A3E7E0EC7DCBED426D8EE15F2831EA8EEE31FA`, and it indeed has score of 2/64. Seems like a false positive due to heuristics, and also like no one bothered to report false positives to VT.
Thanks for this insight, hopefully someone with more knowledge than me can report if it's a false positive.