Skip to content

Commit 6d386b1

Browse files
github-actions[bot]github-actions[bot]
authored
[main] Fix certificate selection for debs and fix signing validation for the new key (and all future new keys) (#2724)
1 parent 4b0df8e commit 6d386b1

File tree

3 files changed

+7
-4
lines changed

3 files changed

+7
-4
lines changed

src/arcade/src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -105,9 +105,10 @@
105105
<AzureLinuxRPM Include="$(ArtifactsPackagesDir)**/*-azl.*-*.rpm" />
106106
<FileSignInfo Include="@(AzureLinuxRPM->'%(Filename)%(Extension)')" CertificateName="LinuxSignMariner" />
107107

108-
<!-- Explicitly use the "new" LinuxSign cert. TODO: Update the cert name to the actual name in MicroBuild once it's added. -->
109-
<NewKeyLinuxRPM Include="$(ArtifactsPackagesDir)**/*-newkey-*.rpm" />
110-
<FileSignInfo Include="@(NewKeyLinuxRPM->'%(Filename)%(Extension)')" CertificateName="LinuxSign500207PGP" />
108+
<!-- Explicitly use the "new" LinuxSign cert. -->
109+
<NewKeyLinuxPackage Include="$(ArtifactsPackagesDir)**/*-newkey-*.rpm" />
110+
<NewKeyLinuxPackage Include="$(ArtifactsPackagesDir)**/*-newkey-*.deb" />
111+
<FileSignInfo Include="@(NewKeyLinuxPackage->'%(Filename)%(Extension)')" CertificateName="LinuxSign500207PGP" />
111112
</ItemGroup>
112113

113114
<!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400

src/arcade/src/Microsoft.DotNet.SignTool/src/VerifySignatures.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -262,7 +262,8 @@ private static void DownloadAndConfigurePublicKeys(string tempDir)
262262
{
263263
string[] keyUrls = new string[]
264264
{
265-
"https://packages.microsoft.com/keys/microsoft.asc", // Microsoft public key
265+
"https://packages.microsoft.com/keys/microsoft.asc", // SHA-1 Microsoft public key
266+
"https://packages.microsoft.com/keys/microsoft-rolling.asc", // Non-SHA1 Microsoft public keys for non-Azure Linux distributions
266267
"https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY" // Azure linux public key
267268
};
268269
foreach (string keyUrl in keyUrls)

src/arcade/src/SignCheck/Microsoft.SignCheck/Utils.cs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,7 @@ public static void DownloadAndConfigurePublicKeys(string tempDir)
200200
string[] keyUrls = new string[]
201201
{
202202
"https://packages.microsoft.com/keys/microsoft.asc", // Microsoft public key
203+
"https://packages.microsoft.com/keys/microsoft-rolling.asc", // Non-SHA1 Microsoft public keys for non-Azure Linux distributions
203204
"https://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEY" // Azure linux public key
204205
};
205206
foreach (string keyUrl in keyUrls)

0 commit comments

Comments
 (0)