This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?

Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?

What do you mean, how would it get the new version name/hash if not following the changes on the website?

I think you should spend the 5 minutes it takes to look at the winget-pkg repo to see how it works. There's lots of great documentation.

All updates are manual, and are done via pull requests. Check everything in-queue: https://github.com/microsoft/winget-pkgs/pulls

Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.

You can see all the checks that go into cpu-z updates with the latest PR: https://github.com/microsoft/winget-pkgs/pull/349095

	▲	eviks 4 hours ago \| parent [-]
		That would obviously be longer than 5 minutes; presumably you've done that and still can't answer the simple question > All updates are manual, and are done via pull requests. The pull requests can be and some are automated, so not all are manual. But more importantly, how would it help? > Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported. The attack is version update! How is the old manifest version relevant here? > You can see all the checks that go into cpu-z updates with the latest PR: > Description : Invoke an Azure Function > Static Analysis > Status: Started > Status: InProgress Excellent, now how can I get the answer to the question from this valuable information?