fix(ubuntu): resolve GPG signature verification failure for Microsoft Edge on Ubuntu 26.04

[Matt17BR]

This is (I assume) a temporary fix to allow installation of Intune for early adopters of Ubuntu 26.04 LTS.

On Ubuntu 26.04 (resolute), the script correctly identifies that the primary Microsoft production/insiders repositories have transitioned to the new 2025 GPG key (microsoft-2025.asc). However, the Microsoft Edge repository (/repos/edge) currently still requires the legacy GPG key (microsoft.asc).

In the previous implementation, the script would overwrite the microsoft.gpg keyring with the 2025 key on Ubuntu 26.04, which then caused apt update to fail for the Edge repository with the following error:

W: OpenPGP signature verification failed: https://packages.microsoft.com/repos/edge stable InRelease: The following signatures couldn't be verified because the
     public key is not available: NO_PUBKEY EB3E94ADBE1229CF
E: The repository 'https://packages.microsoft.com/repos/edge stable InRelease' is not signed.

Changes

• Introduced a separate microsoft-legacy.gpg keyring for Ubuntu 26.04+.
• The primary repository (Portal/Agent) continues to use the 2025 key in microsoft.gpg.
• The Microsoft Edge repository is specifically configured to use the legacy keyring, matching the existing behavior in the RHEL/DNF section of the script.

Testing

• Verified on an install of Ubuntu 26.04 that upgraded from Ubuntu 24.04; for fresh installs, at the moment, it is necessary to also enable the 24.04 Noble repo (to resolve microsoft-identity-broker and openjdk as deps)
• Confirmed that apt update succeeds for both repositories.
• Confirmed successful installation of both microsoft-edge-stable and intune-portal.
• Device enrollment also works without frills following installation. ---

This fixes #259

[Berndserk]

Hey, thx for the patch. I downloaded and tried it in a prestine ubuntu26.04 VM, edge installs fine but intune portal fails complaining about dependencies.
The following packages have unmet dependencies:
intune-portal : Depends: microsoft-identity-broker (>= 2.0.1) but it is not installable
Depends: openjdk-11-jre (>= 11) but it is not going to be installed
E: Unable to satisfy dependencies. Reached two conflicting assignments:

1. intune-portal:amd64=1.2603.37-resolute is selected for install
2. intune-portal:amd64 Depends microsoft-identity-broker (>= 2.0.1)
   but none of the choices are installable:
   [no choices]

attached you find the complete installer log

intune-installer-log.zip

[Matt17BR]

@Berndserk What you're running into is actually a repository issue on Microsoft's end. They have published the main intune-portal package to the 26.04 repo, but they haven't finished populating the 26.04 package catalog with its required background dependencies like microsoft-identity-broker and their build of OpenJDK. Because they aren't in the index yet, apt treats them as uninstallable.

Until Microsoft gets their 26.04 repository fully synced, the easiest workaround is to temporarily add the Ubuntu 24.04 (Noble) repository alongside it just to pull in those missing dependencies. The 24.04 identity broker works perfectly on 26.04.

You can run this to get it working:

# 1. Add the 24.04 (Noble) repo as a temporary workaround for dependencies
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/ubuntu/24.04/prod noble main" | sudo tee /etc/apt/sources.list.d/microsoft-noble-workaround.list

# 2. Update the package lists
sudo apt update

# 3. Install the portal (it will pull the broker from Noble and the portal from Resolute)
sudo apt install intune-portal

[Berndserk]

OK got it, but now i seem to lack the proper keys for 24.04 :-D
Warning: OpenPGP signature verification failed: https://packages.microsoft.com/ubuntu/24.04/prod noble InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
Error: The repository 'https://packages.microsoft.com/ubuntu/24.04/prod noble InRelease' is not signed.

[Matt17BR]

Right now the install script if it detects that you have 26.04 only gets you to pull the "new" signing key for packages intended for 26.04. So you'll need to curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo gpg --dearmor -o /usr/share/keyrings/microsoft-archive-keyring.gpg && sudo apt update to also get the previous signing key

[Berndserk]

Awesome thanks, that worked, one issue less.
Now intune enrols my device.
Unfortuantely it seems that the intune portal is not able to handle the new authd and fails on the basic password politcy, but this is another topic!
thx for the support

[CKunze-MSFT]

@copilot resolve the merge conflicts in this pull request