Starting in the Spring of 2025, packages.microsoft.com is introducing a new signing key for some repositories. The existing key (BE1229CF) includes SHA1 signatures. These were commonplace when that key was created, but support for SHA1 (and keys that use it) has been deprecated in recent Linux releases. The introduction of this new signing key represents our effort to keep pace with evolving security standards, and ensure users of these new Linux releases can continue to be supported by packages.microsoft.com.

Note that this change in policy does not indicate a lack of trust in the existing key. It remains secure and trustworthy, and will continue to be used for existing repos. The packages.microsoft.com team will continue to support our customers with the highest level of security and quality. If any issues arise, do not hesitate to contact us via GitHub ( https://github.com/microsoft/linux-package-repositories/issues ).

A brief description of the keys used on packages.microsoft.com:
msopentech.asc (52E16F86FEE04B979B07E28DB02C46DF417A0893):
Microsoft Open Technologies was a wholly-owned subsidiary of Microsoft that focused on open-source technologies and support. It rejoined Microsoft in 2015. This key will not be used for newly-created repositories.

microsoft.asc (BC528686B50D79E339D3721CEB3E94ADBE1229CF):
This key was Microsoft’s standard Linux-signing key until Spring 2025, as discussed above. This key will not be used for newly-created repositories.

microsoft-2025.asc (AA86F75E427A19DD33346403EE4D7792F748182B):
This is the current standard Linux-signing key that will be used in newly-created repositories. It will work properly in distributions that disallow SHA1 signatures.

microsoft-rolling.asc:
This is currently a copy of microsoft-2025.asc. The intention is that this file will be updated in the future to include new keys as they are created and begin being used.

(not linked), Mariner / Azure Linux’s key (2BC94FFF7015A5F28F1537AD0CD9FED33135CE90):
Packages in Mariner / Azure Linux repositories are signed by a key unique to that distribution. It is not linked in the /keys/ directory, but rather is installed by default on those systems.