From 6588558ebe0edf853c6509e0583d5e9c35ab9602 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 1 Jul 2026 09:41:24 +0100 Subject: [PATCH 1/2] fixup! azure-pipelines: add ESRP code signing We have been using an inappropriate key for our Debian package signing; let's use a more appropriate one. Signed-off-by: Matthew John Cheetham Signed-off-by: Johannes Schindelin --- .azure-pipelines/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azure-pipelines/release.yml b/.azure-pipelines/release.yml index 5f0e3d7f563c48..da06337801a344 100644 --- a/.azure-pipelines/release.yml +++ b/.azure-pipelines/release.yml @@ -1179,13 +1179,13 @@ extends: version: '8.x' - template: .azure-pipelines/esrp/sign.yml@self parameters: - displayName: 'Example sign Debian package' + displayName: 'Sign Debian package' folderPath: '$(Build.ArtifactStagingDirectory)/app' pattern: '**/*.deb' inlineOperation: | [ { - "KeyCode": "CP-453387-Pgp", + "KeyCode": "CP-500207-Pgp", "OperationCode": "LinuxSign", "ToolName": "sign", "ToolVersion": "1.0", From 7d6751f58dc89daaca1d040ee40b6ec679502006 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 1 Jul 2026 11:38:48 +0200 Subject: [PATCH 2/2] fixup! Adjust README.md for microsoft/git Since switching to ESRP, Microsoft Git's Linux packages use a different GPG key to sign the packages. Let's adjust the instructions how to verify the package signatures. Signed-off-by: Johannes Schindelin --- README.md | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index ce4a0e199310dc..3e0fa1516b879c 100644 --- a/README.md +++ b/README.md @@ -122,44 +122,40 @@ To download and validate the signature of this package, run the following: sudo apt-get install -y curl debsig-verify # Download public key signature file -curl -s https://api.github.com/repos/microsoft/git/releases/latest \ -| grep -E 'browser_download_url.*msft-git-public.asc' \ -| cut -d : -f 2,3 \ -| tr -d \" \ -| xargs -I 'url' curl -L -o msft-git-public.asc 'url' +curl -Os https://packages.microsoft.com/keys/microsoft-2025.asc # De-armor public key signature file -gpg --output msft-git-public.gpg --dearmor msft-git-public.asc +gpg --output microsoft-2025.gpg --dearmor microsoft-2025.asc -# Note that the fingerprint of this key is "B8F12E25441124E1", which you can +# Note that the fingerprint of this key is "EE4D7792F748182B", which you can # determine by running: -gpg --show-keys msft-git-public.asc | head -n 2 | tail -n 1 | tail -c 17 +gpg --show-keys microsoft-2025.asc | head -n 2 | tail -n 1 | tail -c 17 # Copy de-armored public key to debsig keyring folder -sudo mkdir /usr/share/debsig/keyrings/B8F12E25441124E1 -sudo mv msft-git-public.gpg /usr/share/debsig/keyrings/B8F12E25441124E1/ +sudo mkdir /usr/share/debsig/keyrings/EE4D7792F748182B +sudo mv microsoft-2025.gpg /usr/share/debsig/keyrings/EE4D7792F748182B/ # Create an appropriate policy file -sudo mkdir /etc/debsig/policies/B8F12E25441124E1 +sudo mkdir /etc/debsig/policies/EE4D7792F748182B cat > generic.pol << EOL - + - + - + EOL -sudo mv generic.pol /etc/debsig/policies/B8F12E25441124E1/generic.pol +sudo mv generic.pol /etc/debsig/policies/EE4D7792F748182B/generic.pol -# Download Debian package +# Download Debian package (substitute `amd64` with `arm64` on ARM machines) curl -s https://api.github.com/repos/microsoft/git/releases/latest \ -| grep "browser_download_url.*deb" \ +| grep "browser_download_url.*amd64.deb" \ | cut -d : -f 2,3 \ | tr -d \" \ | xargs -I 'url' curl -L -o msft-git.deb 'url'