Bonum Certa Men Certa
IRC Proceedings: Friday, October 21, 2022 | OpenSource.com is Compromised, Leveraged to Promote Windows and Microsoft Vendor Lock-in Instead of Open Source

Microsoft Edge for “Linux” Uses Outdated GPG and Then Configures it to Silence Your Distribution’s Package Security Checks

Reprinted with permission from Ryan

Previously: Bruce Schneier: Microsoft Edge is Apparently a Password Stealer Too, Even on GNU/Linux

Microsoft Edge for “Linux” uses outdated GPG and then configures it to silence your distribution’s package security checks.



I got bored today and decided to look at the RPM package for Microsoft Edge for “Linux”.



If you installed it, it will add a microsoft-edge.repo file in etc/yum.repos.d with the following:



[microsoft-edge]
name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc


As you can see, Microsoft has essentially bypassed the GPG check by enabling the check, and then instead of installing a package signing key into the RPM database, like well behaved software does, they point it at a Public Key hosted on their server.



The gist of this is that it shuts up the “package is unsigned” warning that prevents tampering, but then provides no assurances that Microsoft Edge updates are actually not tampered with.



If an attacker compromises Microsoft’s server, they could replace the key, then replace Microsoft Edge with a package containing anything (or just add malware to Edge to increase the amount of time before people realized anything was wrong with the package), and it would pass the signature check because DNF would check the URL and find the attacker-modified microsoft.asc Public Key.



Additionally, by following the URL to the Microsoft Public Key block, I noticed that they are using an outdated branch of GPG as well, which dates back to 2004 and is only maintained to address CVEs.



GPG recommends migrating to the current branch (2.3.8 is the latest as of this writing), and Mullvad VPN warns its users not to use the 1.4 branch as well.



Additionally, GPG says that the 1.4 branch is not widely used, so there’s likely fewer people legitimately studying it to fix it, and more likely just attackers looking for slobs that are still using it, like Microsoft.



This should be yet another example of how much Microsoft can be trusted to “secure” your computer.



They can’t even secure their own. They had a couple of major data breaches thanks to misconfiguration of Azure recently, which even BleepingComputer covered.



I hope that if you’re considering putting Microsoft software where it doesn’t belong, on your GNU/Linux system, then witnessing their slovenly practices should give you some second thoughts.



Just this repo alone sets up your GNU/Linux system to be seriously compromised.



The point of installing GPG keys into RPM is so that when there’s a breach of the server, it doesn’t affect users that already have the program and get alerted that there’s an update. A legitimate update which updates RPM with the new GPG key would have to be signed using the old one, meaning that a chain of trust is preserved.



When you point it at a Web site, like Microsoft does, you have no idea what you’ll get.



IRC Proceedings: Friday, October 21, 2022 | OpenSource.com is Compromised, Leveraged to Promote Windows and Microsoft Vendor Lock-in Instead of Open Source

Recent Techrights' Posts

Hard to Find a Job After Working for Microsoft (Back Doors Giant, Bribery Hub)
It generally looks like people who chose to serve Microsoft's agenda don't end up too well
Altering Perceived Reality to Make It Seem Like Microsoft is Thriving, Not Failing
pretend XBox did not die
Confluent Insiders: IBM Laid Off Over 800 at Confluent, Not Just 800
For the record, the layoffs at Confluent won't be over. After the bluewashing there will be "IBM RAs" impacting Confluent folks, aside from PIPs
Where and How to Spot LLM Slop
Many people correctly perceive LLMs as a site's downfall, a step towards the abyss
Links 25/03/2026: Nations Return to Russian Oil and Burning Wood
Links for the day
 
The World Wide Bots
The shape of the Web is so bad that bots exceed humans in some places
Links 26/03/2026: Solicitors Regulation Authority (SRA) Closes 101 Law Firms in 2 Years, "Please Compensate the Work You Appreciate"
Links for the day
Regaining Software Freedom Means Regaining Control Over Programs That Run on Our Devices
Richard Stallman will speak in Italy
Microsoft Secure Boot Removes Users' Choice
Has Greenland banned Microsoft and 'secure' boot yet?
IBM Pushes Workers Out, It Does Not Count Them as "Layoffs"
The number of IBM layoffs can be as large as tens of thousands per year
Microsoft Lost 31% Of Its Alleged "Value" in Five Months, Then It Got Downgraded
In 2026 Microsoft focuses on keeping the layoffs silent
SLAPP Censorship - Part 24 Out of 200: The Failed Effort by Brett Wilson LLP to Strike Out My Lawsuit and My Wife's Lawsuit Against Garrett (the Master Allowed Our Lawsuits to Proceed)
This is lawfare
Official New Figures Show That Solicitors Regulation Authority (SRA) Sees Rise in Dishonesty Among Law Firms Forcibly Shut Down ('Euthanised' Due to Misconduct)
It's rather if in our little country as many as 16 law firms were found to be so dishonest that they needed to be shut down
Back to Normalcy
In our datacentre at least
IBM is "Increasing Its Temporary and Part-time Headcount" While Net Headcount Falls (Despite Buying Many Companies and Their Workforce)
Headcount is a rather superficial yardstick.
EPO Union Decides to Continue Industrial Actions, Next Strike in Four Days
The latest strike had the highest participation rate
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, March 25, 2026
IRC logs for Wednesday, March 25, 2026
Microsoft's "Silent Layoffs" in Slop Clothing
"AI-powered transformation" is just a euphemism for mass layoffs
Public Talk by Richard Stallman in Half a Day "at the Engineering and Architecture Campus of Cesena of the University of Bologna"
He'll probably attract a fairly large crowd
Gemini Links 26/03/2026: Buying a House, Stargazing, OFFLFIRSOCH 2026
Links for the day
Gemini Links 25/03/2026: Resisting Authoritarianism and Why Slop Needs to Go Away
Links for the day
Fedora Maintainer-ship Using Slop (Mistakes) Would Make Fedora Less Reliable
It won't produce reliable code or stable systems one can rely upon
IBM's "Legacy Employees" (Experienced Workers, IBM Management Dubs Them 'Dinobabies')
This notion of "legacy employees" seems like something overlapping with "expensive" (well paid) staff, even if not entirely equivalent
EPO's "Current Industrial Actions Are Likely to Intensify Further."
There is another strike in 5 days
This Morning The Register MS Published Slop Promotion With the Term "AI" 15 Times In It. The Register MS Was (As Usual) Paid to Do This
This is not a serious publisher
SLAPP Censorship - Part 23 Out of 200: We Were Right All Along (for 2 Years) About Third Party Funding and Willingness to 'Break the Bank' in Pursuit of "Revenge"
How much damage can a person do to oneself in pursuit of cover-up of legitimate technical concerns?
Gnome Foundation Inc is in Trouble
the agenda is set GAFAM and IBM rather than donors
Links 25/03/2026: Airports Further Militarised, "Slopification and Its Discontents", Microsoft 'Open' 'Hey Hi' Shutting Things Down
Links for the day
Gemini Links 25/03/2026: Blogging Fright and Absolutely Useless 'Apps' Made by Slop Machines
Links for the day
Rise in Energy Prices Will Significantly Accelerate the Death of So-called "AI Companies"
It should be noted that fake news about Microsoft OpenAI doubling workforce (mere words, not actions) can serve as a nice distraction from the death of Sora due to divestment
It's Always a Question of Trust
There's a widespread stigma of lawyers being manipulative and chronically dishonest
Solicitors Regulation Authority (SRA) Must More Carefully Investigate or Assess the Financial State of Law Firms in the UK
We'll cover this in depth in the future
GAFAM Mozilla Removes Theora Support, Now GNU Needs to Re-encode Videos
Mozilla used to mean something to Free software advocates
An Open Admission Profits Depend on Addiction
Proprietary software tends to be like this
IBM Americas President Ayman Antoun Comes to OpenText, Weeks Ahead the Mass Layoffs Begin
Is that what IBM will be good at?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, March 24, 2026
IRC logs for Tuesday, March 24, 2026
SLAPP Censorship - Part 22 Out of 200: When You Complain People Impersonate You in IRC (But You Yourself Impersonate People in IRC and Lock Them Out of Their IRC Handles)
We'll cover this with direct evidence some time soon
Gemini Links 24/03/2026: Junk Drawer Time Capsule and Building Outside Alire
Links for the day
Not Much LLM Slop About "Linux" Lately, It Only Ever Comes From the Same Few Sites
As long as only few such sites use LLM slop we can skip and avoid them
Links 24/03/2026: "Epic Lays Off Over 1000 Employees" and US in Financial Trouble According to the Fed
Links for the day
The "Media" Does Not Only 'Miss' Mass Layoffs
"The Treasury just declared the U.S. insolvent. The media missed it"
The Empty Suits of IBM Managers (NIH or "Nothing Invented Here")
IBM's management adopted the business model of parasites
2012: 'Secure' (Microsoft-Controlled) Boot Has Not (Yet) Been Made Obligatory. 2026: systemd Has Not Implemented Age Verification
should we stop calling "nazi" everyone we don't agree with?
More Threats (Including Physical Threats) Against Us Are a Dumb Move
It's like a "hit list" (targets list) and I shall keep the police duly informed
New Example of Pentagon in "Feminist" Clothing Inside Fake News of Publishers Paid to Promote Outsourcing to US ("Clown Computing") and American Slop
Google now pays money to promote Google as a friend of women
Hating Techrights is a Career
but is it good for civil society?
Dr. Stallman’s Work Will Never be Considered 'Mainstream' Because He Rejects and Works Against the So-called 'Mainstream'
Try to be more like Stallman
The New Layoffs: 'Silent Layoffs', 'Secret Layoffs', 'Quiet Layoffs', 'Passive Layoffs' 'Stealth Layoffs', and Unannounced Layoffs Disguised as Return-to-Office (RTO Mandates)
The US needs to revisit and fix the WARN Act
EPO "Cocaine Communication Manager" - Part IX - Cocaine Addicts in Charge of the EPO Attacking Families of EPO Staff
Things like being high-profile and being a serious drug addict aren't opposites
What Feminism in Science Means (Codes of Conduct Don't Tackle the Real Issues)
Universality matters, more so in a project or community that's said to build the "universal operating system" (Debian)
SLAPP Censorship - Part 21 Out of 200: It's About Behaviour Online, Not How Much Money From Shadowy Third Parties Gets Spent on Lawyers and Two Barristers
75+ KG of legal papers, 2 cases, 2 barristers (one hiding in the metadata) and maybe two law firms (also hiding in the metadata) against two modest people in Manchester seems disproportionate and vindicative
Links 24/03/2026: "Airports on ICE" and "Have You Paid Your “Intuit Tax”?"
Links for the day
Gemini Links 24/03/2026: Slop Interview and Why Slop Makes Lousy Code
Links for the day
Richard Stallman to Give Public Talk This Thursday at the University of Bologna (Italy)
Hardly the first time he speaks in Bologna
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, March 23, 2026
IRC logs for Monday, March 23, 2026