linux-package-repositories icon indicating copy to clipboard operation
linux-package-repositories copied to clipboard
verified publisher icon microsoft

MS Edge DEB packages still install SHA1 signing key

Open Nu11u5 opened this issue 2 months ago • 1 comments

Describe the issue Follow up to #47

When installing MS Edge using the .DEB files from https://www.microsoft.com/en-us/edge/download the provided package file installs a SHA1 signing key in /etc/apt/trusted.gpg.d. The key is hard-coded inside the DEB postinstall script instead of downloading from the repository.

install_key() { 
  find_apt_trusted
  # ASCII-armored keyrings are only supported in apt 1.4 and later, but we must
  # continue supporting Trusty and Xenial which have older versions of apt, so
  # the keyring is installed as a binary blob.  base64 is used to decode the
  # ASCII keyring, which should always be available since it comes from the
  # coreutils.
  (base64 -d > "$APT_TRUSTEDDIR/microsoft-edge-beta.gpg") <<KEYDATA
mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT
LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV
7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag
OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j
H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr
M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs
ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATUEEwEC
AB8FAlYxWIwCGwMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOs+lK2+EinPGpsH
/32vKy29Hg51H9dfFJMx0/a/F+5vKeCeVqimvyTM04C+XENNuSbYZ3eRPHGHFLqe
MNGxsfb7C7ZxEeW7J/vSzRgHxm7ZvESisUYRFq2sgkJ+HFERNrqfci45bdhmrUsy
7SWw9ybxdFOkuQoyKD3tBmiGfONQMlBaOMWdAsic965rvJsd5zYaZZFI1UwTkFXV
KJt3bp3Ngn1vEYXwijGTa+FXz6GLHueJwF0I7ug34DgUkAFvAs8Hacr2DRYxL5RJ
XdNgj4Jd2/g6T9InmWT0hASljur+dJnzNiNCkbn9KbX7J/qK1IbR8y560yRmFsU+
NdCFTW7wY0Fb1fWJ+/KTsC4=

KEYDATA
}

When did the issue occur? Persistant

If applicable, what package did you attempt to install, and from which repo? https://packages.microsoft.com/repos/edge/pool/main/m/microsoft-edge-stable/microsoft-edge-stable_141.0.3537.85-1_amd64.deb?brand=M102

Steps to Reproduce Install https://packages.microsoft.com/repos/edge/pool/main/m/microsoft-edge-stable/microsoft-edge-stable_141.0.3537.85-1_amd64.deb?brand=M102

To confirm the contents of the post install script, run: ar p microsoft-edge-stable_141.0.3537.85-1_amd64.deb control.tar.xz | tar -Jx ./postinst

Actual Result The signing key is using SHA1.

Expected Result The signing key is using SHA256 and from https://packages.microsoft.com/keys/microsoft.asc

Nu11u5 avatar Oct 20 '25 01:10 Nu11u5

Hi @Nu11u5, thanks for bringing this up to our attention. We have reached out internally to the Edge team that manages this package. Either they or we will provide updates here as they come.

For future reference though, you can also bring this up directly as feedback to Edge at https://support.microsoft.com/en-us/microsoft-edge. This can be also be done within the Edge browser (Alt + Shift + I on Windows).

acheng-01 avatar Oct 20 '25 15:10 acheng-01