Currently, SignCheck downloads GPG public keys from remote URLs at runtime during signature verification (Utils.DownloadAndConfigurePublicKeys):
https://packages.microsoft.com/keys/microsoft.aschttps://packages.microsoft.com/keys/microsoft-2025.aschttps://packages.microsoft.com/keys/microsoft-rolling.aschttps://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEYhttps://dot.net/release-key-2023
These keys are stable and not expected to change. Checking them into the repo and embedding them as resources in the SignCheck package would:
- Remove the runtime network dependency, making SignCheck more reliable in air-gapped or network-restricted environments
- Avoid potential failures if a key URL changes or becomes temporarily unavailable
- Make it explicit which keys are trusted for verification
Raised in #16574 (comment).
Currently,
SignCheckdownloads GPG public keys from remote URLs at runtime during signature verification (Utils.DownloadAndConfigurePublicKeys):https://packages.microsoft.com/keys/microsoft.aschttps://packages.microsoft.com/keys/microsoft-2025.aschttps://packages.microsoft.com/keys/microsoft-rolling.aschttps://raw.githubusercontent.com/microsoft/azurelinux/3.0/SPECS/azurelinux-repos/MICROSOFT-RPM-GPG-KEYhttps://dot.net/release-key-2023These keys are stable and not expected to change. Checking them into the repo and embedding them as resources in the
SignCheckpackage would:Raised in #16574 (comment).