For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
which you can install with:
winget install --exact --id CPUID.CPU-Z
No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.
Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?
What do you mean, how would it get the new version name/hash if not following the changes on the website?
I think you should spend the 5 minutes it takes to look at the winget-pkg repo to see how it works. There's lots of great documentation.
All updates are manual, and are done via pull requests. Check everything in-queue: https://github.com/microsoft/winget-pkgs/pulls
Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.
You can see all the checks that go into cpu-z updates with the latest PR: https://github.com/microsoft/winget-pkgs/pull/349095
That would obviously be longer than 5 minutes; presumably you've done that and still can't answer the simple question
> All updates are manual, and are done via pull requests.
The pull requests can be and some are automated, so not all are manual. But more importantly, how would it help?
> Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.
The attack is version update! How is the old manifest version relevant here?
> You can see all the checks that go into cpu-z updates with the latest PR:
> Description : Invoke an Azure Function > Static Analysis > Status: Started > Status: InProgress
Excellent, now how can I get the answer to the question from this valuable information?
Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!
Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.
I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)