Bug Report: Dev Container Build Fails Due to Microsoft Package Signing Key Issue #1353
Description
Describe the bug
When following the documentation for setting up the development environment using Dev Containers in VSCode, the container build fails at step 3 (Reopen in container) with a GPG signature verification error.
The build fails when attempting to install packages from the Microsoft repository because the signing key uses SHA1, which is now rejected by APT's security policy as of February 1, 2026.
Steps/Code to Reproduce
- Clone the PyRIT repository
- Open the repository in VSCode
- Follow the contributor documentation to set up Dev Containers
- Click "Reopen in Container" when prompted
- Observe the build failure
Error Message
Signing key on BC52[...]229CF is rejected:
No binding signature at time 2026-02-03T08:51:16Z
Policy rejected non-revocation signature (PositiveCertification)
requiring second pre-image resistance because: SHA1 is not considered
secure since 2026-02-01T00:00:00ZThe build fails when trying to update package lists from packages.microsoft.com due to the outdated GPG signing key.
Expected Results
The Dev Container should build successfully and allow contributors to start development.
Actual Results
The Docker build fails with a GPG signature verification error, preventing the container from being created.
Root Cause
The Microsoft package repository signing key uses SHA1 hashing, which Debian/APT now considers insecure as of February 1, 2026. The security policy has been tightened, causing the signature to be rejected.
Versions
- OS: Mac
- Python version: 3.10.11
- PyRIT version: 0.10.1.dev0