Pin Microsoft Edge repo to legacy microsoft.gpg key (fix 26.04 signature failure)#279
Open
theneiljohnson wants to merge 1 commit into
Open
Pin Microsoft Edge repo to legacy microsoft.gpg key (fix 26.04 signature failure)#279theneiljohnson wants to merge 1 commit into
theneiljohnson wants to merge 1 commit into
Conversation
PR #274 fixed the $EDGE_GPG_KEY unbound-variable crash by switching the Edge repo to $MS_GPG_KEYRING. On Ubuntu 26.04+ that variable resolves to /usr/share/keyrings/microsoft-2025.gpg, but the Edge repo (packages.microsoft.com/repos/edge) is signed with the legacy microsoft.asc key (verified: key EB3E94ADBE1229CF). Pinning Edge to MS_GPG_KEYRING therefore breaks 'apt-get update' signature verification on 26.04+, aborting the installer under 'set -e'. Pin the Edge repo to /usr/share/keyrings/microsoft.gpg explicitly on all releases, matching the script's existing comment that the Edge repo uses the older microsoft.asc key. The microsoft-2025 key remains used for the PMC (portal) repo via MS_GPG_KEYRING.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #274. That PR fixed the
$EDGE_GPG_KEYunbound-variable crash by pointing the Microsoft Edge apt repo at$MS_GPG_KEYRING. That removes the crash, but on Ubuntu 26.04+$MS_GPG_KEYRINGresolves to/usr/share/keyrings/microsoft-2025.gpg— a different signing key than the one that actually signs the Edge repo.The problem on Ubuntu 26.04+
packages.microsoft.com/repos/edge) is signed with the legacymicrosoft.asckey.InReleaseis a Good signature from keyEB3E94ADBE1229CF(legacymicrosoft.gpg), not the microsoft-2025 keyEE4D7792F748182B.MS_GPG_KEYRING=/usr/share/keyrings/microsoft-2025.gpg, so pinning Edge to$MS_GPG_KEYRINGmakesapt-get updatefail Edge signature verification, which aborts the installer underset -e.Fix
Pin the Edge repo to
/usr/share/keyrings/microsoft.gpgexplicitly on all releases. This matches the script's own existing comment that "The Edge repo uses the older microsoft.asc key on all versions." The microsoft-2025 key is still used for the PMC/portal repo viaMS_GPG_KEYRINGon 26.04+.Testing
bash -n installer.sh→ syntax OK.InReleaseverifies as a Good signature under the legacy key (EB3E94ADBE1229CF).MS_GPG_KEYRINGalready resolves to the legacy keyring); change is a no-op on those releases and corrects 26.04+.