How do I know if a package is from an official source?

[fourteen-1]

How do I know if a package of a program is uploaded officially by the devs of the program? In fact, are there packages being maintained by devs? For example, I don't want to use winget to update security apps like Bitwarden if they (the devs) aren't officially distributing Bitwarden through winget since that could potentially be a security risk.

I'm fairly new to this package manager thing and it's hard to find answers about this just from google. Help would be tremendously appreciated.

[Trenly]

Packages in the community repository go through a verification process to be sure the download link being used correlates back to an official mirror from the publisher. Even if the package itself is not submitted to winget by the devs of the program, the URLs are checked for safety. In almost all cases, the URL will be the exact same URL that is available from the download page of the software if you were to go and download it yourself by visiting the publisher's website

[fourteen-1]

In almost all cases, the URL will be the exact same URL...

So there's practically no instance for a package to not be safe for downloading from the default winget source then? Are packages verified manually or is it done via bots? If it's automated there's still a security risk no matter how slight.

It'd still be great to have a "verification identity" for packages that are being submitted by the devs, in order to differentiate those from john-doe submissions, which is what I was essentially looking for.

Also, would love to read any documentation on how exactly packages are verified and how exactly winget works to maintain and update packages, if there is any.

[Trenly]

Are packages verified manually or is it done via bots?

Both. A bot scans the URLs to make sure there aren’t any flags for malware, PUA, and to be sure that it correlates back to the publisher. Then the PR also goes through a manual review before being merged.

Also, would love to read any documentation on how exactly packages are verified and how exactly winget works to maintain and update packages, if there is any.

Take a look at the FAQ, I think it may give some of the answers you're looking for. Specific to how packages are verified, @denelon talks about it in detail in this Open at Microsoft Episode

[denelon]

The FAQ moved.

[riverar]

Updated tl;dr answer for folks reading this from social media: You don't.

See also: microsoft/winget-pkgs#7836

[denelon]

When in doubt, run winget show <package> to see the metadata associated with the package. This includes URLs for publishers, packages, and installers.

Packages should be coming from official sources, but that does not mean the publisher has submitted the manifest to the community repository.