Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kyrra 5 hours ago

For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...

which you can install with:

   winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
fuzzy2 4 hours ago | parent | next [-]

No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.

Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.

eviks 5 hours ago | parent | prev | next [-]

This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?

actionfromafar 5 hours ago | parent [-]

Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?

eviks 4 hours ago | parent [-]

What do you mean, how would it get the new version name/hash if not following the changes on the website?

kyrra 4 hours ago | parent [-]

I think you should spend the 5 minutes it takes to look at the winget-pkg repo to see how it works. There's lots of great documentation.

All updates are manual, and are done via pull requests. Check everything in-queue: https://github.com/microsoft/winget-pkgs/pulls

Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.

You can see all the checks that go into cpu-z updates with the latest PR: https://github.com/microsoft/winget-pkgs/pull/349095

eviks 4 hours ago | parent [-]

That would obviously be longer than 5 minutes; presumably you've done that and still can't answer the simple question

> All updates are manual, and are done via pull requests.

The pull requests can be and some are automated, so not all are manual. But more importantly, how would it help?

> Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.

The attack is version update! How is the old manifest version relevant here?

> You can see all the checks that go into cpu-z updates with the latest PR:

> Description : Invoke an Azure Function > Static Analysis > Status: Started > Status: InProgress

Excellent, now how can I get the answer to the question from this valuable information?

ww520 5 hours ago | parent | prev | next [-]

Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!

hypeatei 5 hours ago | parent | prev [-]

Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.

I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)