Hi all,

In today’s blog we are going to discuss some of the great highlights around package security in the latest WinGet video released on the Microsoft Developer YouTube channel.

The video features Microsoft MVP Kaleb Luedtke and Demitrius Nelon Windows Package Manager (Product Manager) and goes in depth about the processes used to ensure the packages being submitted to Winget are safe and trusted.

Here is an overview of the different security processes that each package submission goes through:

1. Syntax and Metadata Validation: WinGet checks the submitted manifest for proper syntax and scrutinizes the metadata for consistency and accuracy.
2. URL Reputation Checks: All URLs, including those pointing to the installer, publisher’s page, or copyright information, undergo SmartScreen filtering to assess their reputation.
3. Antivirus Scanning: Partnering with internal security teams, WinGet subjects the installer binaries to antivirus scanning, checking for any known malware signatures.
4. Hardened Environment Testing: Installers run in a secure environment with tools like Defender and file watchers to catch any malicious activity during or after installation. The validation process also attempts to launch the application after installation to ensure nothing malicious is occurring at runtime.
5. Policy Checks for Compliance: WinGet ensures that the content doesn’t contain risky keywords, inappropriate language, or unauthorized trademarks.
6. Human Moderation: Finally, a human moderator performs a final review, checking the appropriateness of URLs and the overall legitimacy of the package.

The Role of Hashes in Security

Another topic that is discussed is the use of hash verification which are a critical security feature when validating WinGet packages. WinGet uses hashes to verify that the installer you’re about to use matches the one submitted in the manifest. If a publisher updates an installer without updating the manifest, WinGet will stop the installation, signaling a potential risk. The negative side of this is that many publishers use “vanity” URLs (URL stays the same for each new version) which means is the publisher deploy and new version then WinGet will block as a hash mismatch.

This is where innovative solutions like the WinGet Bot and our very own Pckgr Bot become game-changers. The Pckgr Bot diligently scans the most popular applications hosted on vanity URLs every hour for any signs of updates. Upon detecting a new version, it seamlessly generates and submits a new package to WinGet using WinGet Create (another blog to discuss this tool), complete with updated hash and version details. This automation significantly narrows the window of application downtime caused by hash mismatches, ensuring users benefit from the latest updates without sacrificing the security advantages of hash verification.

Where to watch?
You can check the video out over on YouTube: Just click this link: (9) WinGet community repository frequently asked questions (FAQs) – YouTube