Comment by eviks
11 hours ago
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
11 hours ago
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?
What do you mean, how would it get the new version name/hash if not following the changes on the website?
I think you should spend the 5 minutes it takes to look at the winget-pkg repo to see how it works. There's lots of great documentation.
All updates are manual, and are done via pull requests. Check everything in-queue: https://github.com/microsoft/winget-pkgs/pulls
Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.
You can see all the checks that go into cpu-z updates with the latest PR: https://github.com/microsoft/winget-pkgs/pull/349095
1 reply →