Microsoft Edge for “Linux” Uses Outdated GPG and Then Configures it to Silence Your Distribution’s Package Security Checks

Guest Editorial Team

2022-10-22 12:07:30 UTC
Modified: 2022-10-22 12:07:30 UTC

Reprinted with permission from Ryan

Previously: Bruce Schneier: Microsoft Edge is Apparently a Password Stealer Too, Even on GNU/Linux

Microsoft Edge for “Linux” uses outdated GPG and then configures it to silence your distribution’s package security checks.

I got bored today and decided to look at the RPM package for Microsoft Edge for “Linux”.

If you installed it, it will add a microsoft-edge.repo file in etc/yum.repos.d with the following:

[microsoft-edge]
name=microsoft-edge
baseurl=https://packages.microsoft.com/yumrepos/edge/
enabled=1
gpgcheck=1
gpgkey=https://packages.microsoft.com/keys/microsoft.asc

As you can see, Microsoft has essentially bypassed the GPG check by enabling the check, and then instead of installing a package signing key into the RPM database, like well behaved software does, they point it at a Public Key hosted on their server.

The gist of this is that it shuts up the “package is unsigned” warning that prevents tampering, but then provides no assurances that Microsoft Edge updates are actually not tampered with.

If an attacker compromises Microsoft’s server, they could replace the key, then replace Microsoft Edge with a package containing anything (or just add malware to Edge to increase the amount of time before people realized anything was wrong with the package), and it would pass the signature check because DNF would check the URL and find the attacker-modified microsoft.asc Public Key.

Additionally, by following the URL to the Microsoft Public Key block, I noticed that they are using an outdated branch of GPG as well, which dates back to 2004 and is only maintained to address CVEs.

GPG recommends migrating to the current branch (2.3.8 is the latest as of this writing), and Mullvad VPN warns its users not to use the 1.4 branch as well.

Additionally, GPG says that the 1.4 branch is not widely used, so there’s likely fewer people legitimately studying it to fix it, and more likely just attackers looking for slobs that are still using it, like Microsoft.

This should be yet another example of how much Microsoft can be trusted to “secure” your computer.

They can’t even secure their own. They had a couple of major data breaches thanks to misconfiguration of Azure recently, which even BleepingComputer covered.

I hope that if you’re considering putting Microsoft software where it doesn’t belong, on your GNU/Linux system, then witnessing their slovenly practices should give you some second thoughts.

Just this repo alone sets up your GNU/Linux system to be seriously compromised.

The point of installing GPG keys into RPM is so that when there’s a breach of the server, it doesn’t affect users that already have the program and get alerted that there’s an update. A legitimate update which updates RPM with the new GPG key would have to be signed using the old one, meaning that a chain of trust is preserved.

When you point it at a Web site, like Microsoft does, you have no idea what you’ll get. ⬆

IBM: We Can't Make 'AI' (Voice Recognition) Do the Work of a McDonald's Teenager, So Let's Try the Same on Saudi Planes: IBM is lost. It's truly lost.
The General Public License (GPL) Inspired the Web's Original Openness/Freedom, According to Tim Berners-Lee: "During the preceding year I had been trying to get CERN to release the intellectual property rights to the Web code under the General Public License (GPL) so that others could use it."
The Real Problem With Rust is Not "Wokeness" (It Never Was): Don't feed the trolls who attack "Rust People" on political grounds
Why?: Why write articles?
Microsoft-Connected Publisher Spinning XBox's Death Spiral (It's Dying Fast) as a Strength and Something Deliberate: "Microsoft’s big gaming pivot"
Slop is Rare by Now: A year ago slop was so abundant that we did a whole series about it, and it was daily
Links 21/12/2025: U.S. Strikes in Syria, "Epstein Files Photos Disappear From Government Website": Links for the day
Gemini Links 21/12/2025: Labrador Retriever of Lagrange's Developer Dies From Cancer, Political Philosophy, and "Getting to Inbox Zero": Links for the day
Microsoft is Becoming Irrelevant: The Case of Georgia: Not Georgia Tech
Sirius Open Source is Now Imminently Dead (Struck Off): compulsory strike-off
Dr. Richard Stallman, Invited by LibreTech Collective, is Giving a Public Talk in Georgia Tech Next Month (Scheller College of Business): They can probably squeeze about 400 people into this room
25 Years of Activism for GNU/Linux: My passion for GNU/Linux brought a lot of contentment
Africa, Where Microsoft Used De Facto Slaves to Pretend to be "AI", Chatbots Usage is 0.2% of Measured Online Traffic: Judging by recent trends in Africa, many "Windows PCs" are being converted into GNU/Linux computers
New Drone Footage Shows IBM is Dead (Parts of It): The people who participated in IBM when IBM actually mattered probably have boasting rights, unlike people who work for IBM today
Michael Larabel Adds Slop Category to Phoronix, Quickly Realises That It's Worthless: Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)Phoronix nowadays gets carried away; it made a new category to talk about slop and it decided to call it "intelligence" with some caricature of a brain (that's misleading)
After 35 Years the World Wide Web, HTML, and HTTP Are Proprietary: HTTP/2 added a lot of complexity (it's just a Google protocol, based on SPDY originally), many image formats are proprietary and patented, HTML got 'replaced' by Java-Scripts [sic], and many URLs (the URL system was created in the early 90s) are just long strings for proprietary 'webapps'
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, December 20, 2025: IRC logs for Saturday, December 20, 2025
The Register MS Has Lowered Its Standards Considerably: Incidentally, we've only just noticed that "US editor for The Register since July 2025" has not been active for 4 weeks already
Scamfarms, Spamfarms, and Slopfarms in "Linux" Clothing: Today, Linux searches in Google News produced no slop at all. That's an improvement.
Did Bill Gates Lobby to Blur the Face of the Young Woman He Openly Braces (and Who Isn't His Wife)?: "This photo of of Microsoft co-founder Bill Gates with a woman whose face is blurred out is just one of 68 more photos and documents released today."
Links 20/12/2025: Microsoft Ruins Televisions, 'Epstein Files' Deeply Sanitised (to Protect Particular Culprits): Links for the day
Gemini Links 20/12/2025: Merry Christmas 2025 and Running a Factorio Headless Server on FreeBSD with the Linuxulato: Links for the day
With 10 Days Left, the Free Software Foundation (FSF) Has Already Raised Close to $300,000 This Winter: they're besieged by despicable corporations and very despicable people
2025 in Numbers: What was very good about this year is that we truly got "into the rhythm" of publishing
More Microsoft Layoffs Coming Soon: When I spoke about Microsoft layoffs (routinely) I got very viciously attacked by Microsoft boosters
My Humble Assessment of the Future of Red Hat, A Company That IBM is Flushing Down the Loo: GNU/Linux will be OK without Red Hat, but shaping the future of it matters because we don't want companies like Valve (DRM) to set the agenda
Probably the Least Useful Gadgets, Ever: as if a "smart" thing worn on the wrist is the "new Rolex"
Former Manager at IBM Research (Yorktown) Says Why IBM is Doomed and the Anonymous Tipline (Speak Up) is a Trap: IBM isn't willing to change or to address internal issues
Links 20/12/2025: Fentanylware Becomes CheeTok and "Why Roomba Died": Links for the day
Linux Foundation: Richard Stallman Developed Only a Software Licence: We already criticised this report several times last night
Impulsive Writing, Quotas, and Keeping Things as Concise as Feasible: A 10-word sentence being read by a million people can have the same impact or magnitude (exposure-wise) as a million-word book being read by just 10 people
Gemini Links 20/12/2025: Christmas Songs, Storms, and Old Web: Links for the day
Coming to Grips With a Lack of Future at IBM: Red Hat's future doesn't look bright under the auspices as they seem right now
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, December 19, 2025: IRC logs for Friday, December 19, 2025
Links 20/12/2025: Media Layoffs, a Third of Online Traffic is Bots: Links for the day
Barbados: Significant Gains for GNU/Linux: over 5% if one counts ChromeOS as well
Very Shallow LLM Slop for IBM Disguised as Journalism About a "Plan to Train 5 Million Learners in India by 2030" (Unverified Figures With Very Distant Future Date/Year): The Web has become somewhat of a laughing stock
'Linux' Foundation: The Foundation Has Almost Nothing to Do With Linux, It Just Misuses the Name "Linux": Only a tiny portion of the Foundation's budget actually goes to Linux
Austria vs GAFAM: another win against GAFAM
Microsoft Has Purchased Another Linux Foundation Seat: From the latest (new) report
No Electronics, No Clocks, No Phones: We're meant to think that more gadgets will make life easier
Gemini Links 19/12/2025: Great Website Rebuild of 2025 and Running OpenBSD in a Hostile Environment: Links for the day
Google News Helps Slopfarms (What's Left of Them): Lately we've noticed that nothing in the RSS feeds we follow is burping out slop
Links 19/12/2025: Privacy International's Reports and Russian Assets in EU: Links for the day
Today, The Register MS is Parroting Marketing Spam for Ponzi Scheme ("AI") in Exchange for Money: The Register MS should be held accountable when the bubble pops
Red Hat Senior Engineering Manager Leaves (or Gets Pushed Out by IBM) After Nearly 20 Years at the Company: The recent massive wave of IBM layoffs impacted Red Hat and so will the next (impending, Q1) wave
Why We Got Told by Insiders That Almost Everyone at EPO Reads Techrights and Many at IBM Track IBM RAs Via Techrights: In a nutshell, we cover topics almost no other site dares touch
IBM Research Shutting Down Labs, Lots of Workers Laid Off (Even Days Before Christmas in Devout Catholic Country): Heartless, soulless company
Links 19/12/2025: Windows TCO in NHS, "Locked Out of Apple Account Due to Gift Card": Links for the day
Nearly Three Months Have Passed Since EPO Cocainegate and the EPO's Management Still Refuses to Talk About It: But it's clearly aware of it
Richard Stallman Explains Why Software Patents Are Really Bad and Very Much Unnecessary: "The relationship between patents and products varies between the fields"
The Copycats of the FSF Have Serious Problems: If you care about Software Freedom, then support the real thing
Once Again, Just in Time for Christmas, UEFI and Its Boot System Turn Out to be a Giant Bug Door (Also a Microsoft Remote Kill Switch): This industry - even academia - has been deeply compromised
In Activism and Journalism, If You're Ineffective They Ignore You, When You Become Effective They Stalk and Harass You, Failing That They Threaten You: "the Wikileaks effect"
Google Has Begun Linking to commandlinux.com in Google News, But It Seems to be a Slopfarm: This is not innovation, it's sloppiness, laziness, and a modern form of plagiarism
Microsoft Reportedly Tries to Cause Top-Level Managers to Resign If they Don't Participate in the Ponzi Scheme: Apparently even executives who don't play along are given marching orders
Microsoft, Over 120 Billion Dollars in Debt, Prepares Next Round of Mass Layoffs (After Christmas): Microsoft is not managing to pay back its debt
Links 19/12/2025: Scam Altman Humiliates Self in Public, Climate Alarm Sounded, Egyptian Economist Convicted Over "Social Control Media Posts Critical of the Government": Links for the day
You Can Get Work Done With Lean Software: obviously!
"The War on Privacy" is Real: "He Built a Privacy Tool. Now He’s Going to Prison."
The Cost of Being Influential: The "tech world" and its monopoly enforcer (patent system) are sleepwalking into autocracy
More Shutdowns and Layoffs at IBM: if someone covers correct but suppressed information, then people will make an effort to find it
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Thursday, December 18, 2025: IRC logs for Thursday, December 18, 2025
EPO Violates Laws to Profit More From Invalid Patents, Then Cuts the Budget Allocated to Staff: taking away what was already promised to staff
Only a Few Examples of LLM Slop Found, Mostly via Google News: Is it fair to say that sites learned LLM slop does not offer any real value?

Microsoft Edge for “Linux” Uses Outdated GPG and Then Configures it to Silence Your Distribution’s Package Security Checks

Recent Techrights' Posts