It’s a signed archive of deployable files along with meta-data. Usually a cpio archive (which is similar to a tarball) with that extra signature wrapper and meta-data (which, itself, should be a list of files and checksums).
A proper package can validate a project’s installation, either from the local database or from remote resources, at any time, which gives positive assurance that what is installed is what should be installed.
As well, proper package info is exported by SNMP to be consolidated centrally and validate what is vs what should be installed at the group level.
TL;DR? Like a tarball with tracking info, signatures, checksums, and top-to-bottom validation. If it’s a good package, anyway.