Comment by kyrra
11 hours ago
For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...
which you can install with:
winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.
Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.
Nonsense. WinGet has the ability to add repositories, just like any other package manager. If you want the 'approved' packages for the distro, that would be the msstore repository. If you want to use the 'community feed', which WinGet warns you about the first time you use it, it's less vetted, but still goes through Defender scans and community moderators.
If you go adding any old repo to APT, you have the same risk. You should look at how much code review goes into packages for major distros like Debian, hint, not much, especially once the initial package was accepted.
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?
What do you mean, how would it get the new version name/hash if not following the changes on the website?
2 replies →
Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!
Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.
I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)