Bonum Certa Men Certa

Microsoft Edge for “Linux” Uses Outdated GPG and Then Configures it to Silence Your Distribution’s Package Security Checks

Reprinted with permission from Ryan

Previously: Bruce Schneier: Microsoft Edge is Apparently a Password Stealer Too, Even on GNU/Linux

Microsoft Edge for “Linux” uses outdated GPG and then configures it to silence your distribution’s package security checks.



I got bored today and decided to look at the RPM package for Microsoft Edge for “Linux”.



If you installed it, it will add a microsoft-edge.repo file in etc/yum.repos.d with the following:



[microsoft-edge]
name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc


As you can see, Microsoft has essentially bypassed the GPG check by enabling the check, and then instead of installing a package signing key into the RPM database, like well behaved software does, they point it at a Public Key hosted on their server.



The gist of this is that it shuts up the “package is unsigned” warning that prevents tampering, but then provides no assurances that Microsoft Edge updates are actually not tampered with.



If an attacker compromises Microsoft’s server, they could replace the key, then replace Microsoft Edge with a package containing anything (or just add malware to Edge to increase the amount of time before people realized anything was wrong with the package), and it would pass the signature check because DNF would check the URL and find the attacker-modified microsoft.asc Public Key.



Additionally, by following the URL to the Microsoft Public Key block, I noticed that they are using an outdated branch of GPG as well, which dates back to 2004 and is only maintained to address CVEs.



GPG recommends migrating to the current branch (2.3.8 is the latest as of this writing), and Mullvad VPN warns its users not to use the 1.4 branch as well.



Additionally, GPG says that the 1.4 branch is not widely used, so there’s likely fewer people legitimately studying it to fix it, and more likely just attackers looking for slobs that are still using it, like Microsoft.



This should be yet another example of how much Microsoft can be trusted to “secure” your computer.



They can’t even secure their own. They had a couple of major data breaches thanks to misconfiguration of Azure recently, which even BleepingComputer covered.



I hope that if you’re considering putting Microsoft software where it doesn’t belong, on your GNU/Linux system, then witnessing their slovenly practices should give you some second thoughts.



Just this repo alone sets up your GNU/Linux system to be seriously compromised.



The point of installing GPG keys into RPM is so that when there’s a breach of the server, it doesn’t affect users that already have the program and get alerted that there’s an update. A legitimate update which updates RPM with the new GPG key would have to be signed using the old one, meaning that a chain of trust is preserved.



When you point it at a Web site, like Microsoft does, you have no idea what you’ll get.



Recent Techrights' Posts

On the Internet, Nobody Knows Microsoft and Windows Are Becoming Niche Players Until Data is Shown Correctly, Not Microsoft-Sponsored Articles in Microsoft Publishers
Microsoft controls a lot of publishers and thus it controls information
 
Gemini Links 21/08/2025: The Attraction of Back Alleys, Initramfs, and BSD ISPs
Links for the day
Links 21/08/2025: Stephanie Shirley Dies and "Groklaw Domain Hijacked?"
Links for the day
Search in 2025 (Age of DDoS Attacks Under the Guise of "AI" "Innovation")
One common concern when things go "live" is that any random bot out there can execute queries, pumping up RAM and CPU usage, as happened when we used MediaWiki and WordPress
Using Slop for Images Does Not Make Your Site Look Advanced or Witty, It Just Makes Your Whole Work Look Like Presumed Plagiarism
Lazy slobs and Serial Sloppers use the guise/excuse of "AI" to plagiarise and spam the Web
Financing of the "Hey Hi" (AI) Bubble by Those Who Profit From Planetary Destruction (Global Warming)
It's about personal gain, too
Richard Stallman Will Speak in Ethereum Cypherpunk Congress
it's good to see that the FSF pays considerable respect to it founder, who is moreover invited to speak at events
(At Least) Second Wave of Mass Layoffs in Microsoft This Month
This is not the first time this month that Microsoft has mass layoffs
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, August 20, 2025
IRC logs for Wednesday, August 20, 2025
IBM Operatives Inside The Register MS and More Shady Money to Follow
The Register MS bites every banknote it can sink its teeth into
Slopwatch: Serial Sloppers and Slopfarms in Google News (e.g. Linux Journal and WebProNews)
Google plays an active role (if not deliberately then through utter neglect and carelessness) in plagiarism
Links 20/08/2025: Mass Surveillance Framed as "Artificial Intelligence" (All Old Things Reworded to Misframe Old Computer Issues), Europe Resists Capitulation to US(SR)
Links for the day
Gemini Links 20/08/2025: Trips and Permacomputing
Links for the day
Links 20/08/2025: Oracle Layoffs in India, "AI" Scammers/Profiteers Admit It's a "Bubble", Softbank-Saudi (Oil) Control Tech Companies
Links for the day
Social Control Networks Give You False Metrics to 'Addict' You To Them
Leaving social control media may seem hard, but the same is true for any other addiction
A Lot of What Happened in Twitter Was Bots, Botfarms, and Troll Farms. It's Even Worse Now (Under X.com) and People Are Noticing.
Last month we said the same was happening in YouTube
Microsoft May Have Become - at Least Partially - Like a Boiler Room Scam
Giving imaginary salaries using imaginary tokens based on imaginary value (with restrictions on conversion to cash)
In Vietnam, Microsoft's Search Engine "Market Share" Fell to Almost 0%, CocCoc More Than 5 Times Bigger
Why are people still investing in this company?
All That's Left of MSNBC (Microsoft-NBC) is Microsoft NOW
When plutocrats and large corporations (even deep in debt) buy all the communication channels
The Register MS, Paid to Promote "AI" Hype, Does "Sez" (Says) Pieces
every bubble-funded "news" site tries to make it a story about "AI"
Many Companies Are Run by Liars Who Ride Other People's Money
Or steal it
Before CoreAI There Was Builder.ai
GitHub isn't about "AI" (just a bunch of lies and storytelling for shareholders' patience)
Microsoft Windows in Croatia at New Lows
We've been keeping track of this trend for a while
Using the Best Tool/s for the Job: RSS Feeds and RSS Readers
Use RSS feeds. Reject those "modern" Web things
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, August 19, 2025
IRC logs for Tuesday, August 19, 2025
Gemini Links 20/08/2025: Neovim, XML, and Alhena 5.2.9
Links for the day
Accessibility Isn't Overrated
Making things simpler typically means better accessibility
The Register's Slopfest
Remember when The Register UK (yes, UK) had better standards?
Latest Version of Windows (Vista 11) is a Failure 4 Years After Its Fake 'Leak'
Vista 11 became more scarce this month
Improving Our Archives
Our old archives are still accessed a lot. Making them better is well worth the investment.
Things One Learns as a Litigant in Person at the UK High Court
Don't fear the official manuals
Slopwatch: Lots of Fake Articles From Fake "Linux" Sites and About "Linux"
Google says it's committed to "AI" (it means slop, not AI); that seems like an excuse to dodge accountability
Links 19/08/2025: "Eavesdropping on Phone Conversations Through Vibrations" and Air Canada in Chaos
Links for the day
Gemini Links 19/08/2025: Niche Spaces and "AI Pasta Sauce"
Links for the day
Links 19/08/2025: "NASA Is Giving Up on Climate Change Science" and "Earth's Continents Are Drying Out at an Unprecedented Rate"
Links for the day
Microsoft said “GitHub and its leadership team will continue its mission as part of Microsoft’s CoreAI organisation.” But it's just an empty shell created earlier this year.
In short, it's not too clear what Microsoft has just done except dumping GitHub - i.e. mostly a Web site that loses a ton of money (it always lost money) - into some mysterious new bucket
Phil Wyett evidence & Debian Zizian plagiarism, modern slavery tendencies
Reprinted with permission from Daniel Pocock
IBM Layoffs in MCC, or Marketing, Communications and Corporate Social Responsibility (CSR)
IBM and Microsoft inflate their share price by circular financing
In Many Countries People Move Away From Vista 11
Vista 11 has been available for download for 4 years already, but adoption has been poor
Desktops/Laptops Fall to All-Time Lows in the UK, So Why Does British Media Quote a Famous Criminal on "End of the Smartphone Era"?
mobile usage (for Web access) has never been higher, based on an Irish surveyor, statCounter
The Groklaw Web Site Has Been Hijacked by Scammers
Groklaw.net isn't a safe site to access at this time
The Register MS gets Lazy, Uses Slop
Unlike 3-D renderings or "Classic" CG, slop images aren't quite original and definitely not fair use
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, August 18, 2025
IRC logs for Monday, August 18, 2025
Online Safety Act Does Not Tackle the Worst (and Biggest) Culprits
if our governments are serious about tackling online harms, then they need to look closely at GAFAM and social control media giants
Chat Control (1 and 2) in the European Union Sends the Wrong Message
This is an EU law
Slopwatch: Google News and Serial Sloppers (Fake Articles About "Linux")
Calling out the culprits
Gemini Links 19/08/2025: Digital Legacy and Chat Control
Links for the day