Add VirusTotal submission to avoid run-time prompts in Chocolatey Pro+

brogers5 · Feb 22, 2024 · 626bc8b · 626bc8b
1 parent 1d36167
commit 626bc8b
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/ReadMe.md b/ReadMe.md
@@ -33,6 +33,8 @@ Note that Chocolatey package builds are non-deterministic. Consequently, an inde
 
 This package should be automatically updated by the [Chocolatey Automatic Package Updater Module](https://github.com/majkinetor/au). If it is outdated by more than a few days, please [open an issue](https://github.com/brogers5/chocolatey-package-xsplit-vcam/issues).
 
+### AU Setup
+
 AU expects the parent directory that contains this repository to share a name with the Nuspec (`xsplit-vcam`). Your local repository should therefore be cloned accordingly:
 
 ```shell
@@ -45,6 +47,18 @@ Alternatively, a junction point can be created that points to the local reposito
 mklink /J xsplit-vcam ..\chocolatey-package-xsplit-vcam
 ```
 
+### VirusTotal Setup
+
+While not strictly necessary to produce a working package, it's recommended to [install VirusTotal's CLI](https://community.chocolatey.org/packages/vt-cli) and [configure an API key](https://virustotal.github.io/vt-cli/#configuring-your-api-key). An API key can be [procured for free with a VirusTotal account](https://docs.virustotal.com/docs/please-give-me-an-api-key).
+
+This should enable automated submission of the installer package to VirusTotal, which would improve the user experience for Chocolatey Pro+ users. They have access to Chocolatey's [Runtime Malware Protection feature](https://docs.chocolatey.org/en-us/features/virus-check), which by default is [enabled and configured for VirusTotal integration](https://docs.chocolatey.org/en-us/features/virus-check#virustotal).
+
+Normally, the Community Repository's Package Scanner service would upload the installer package to VirusTotal, as a prerequisite to the moderation process's Scan Testing step. Unfortunately, the package is currently incompatible with it (due to the installer package [exceeding the current 200MB file size limit](https://github.com/chocolatey/home/issues/247)), and will therefore fail to submit the installer binary.
+
+As new XSplit VCam releases are unlikely to have been scanned prior to an updated package's publication, this would avoid burdening users with [a run-time prompt to optionally upload the installer binary to VirusTotal for scanning](https://docs.chocolatey.org/en-us/features/virus-check#what-if-virustotal-doesnt-have-results-for-a-binary).
+
+### Execution and Testing
+
 Once created, simply run `update.ps1` from within the created directory/junction point. Assuming all goes well, all relevant files should change to reflect the latest version available. This will also build a new package version using the modified files.
 
 Before submitting a pull request, please [test the package](https://docs.chocolatey.org/en-us/community-repository/moderation/package-verifier#steps-for-each-package) using the [Chocolatey Testing Environment](https://github.com/chocolatey-community/chocolatey-test-environment) first.
diff --git a/update.ps1 b/update.ps1
@@ -35,6 +35,13 @@ function global:au_BeforeUpdate ($Package) {
     $filePath = ".\XSplit_VCam_$($Latest.Version).msi"
     Invoke-WebRequest -Uri $Latest.Url64 -OutFile $filePath
 
+    if ((Get-Command -Name 'vt' -CommandType Application -ErrorAction SilentlyContinue)) {
+        vt.exe scan file "$filePath" --silent
+    }
+    else {
+        Write-Warning 'VirusTotal CLI is not available - skipping VirusTotal submission'
+    }
+
     $Latest.Checksum64 = (Get-FileHash -Path $filePath -Algorithm SHA256).Hash.ToLower()
 
     Set-DescriptionFromReadme -Package $Package -ReadmePath '.\DESCRIPTION.md'