Skip to content

Verify Apple codesign immediately after ESRP signing#27486

Merged
daxian-dbw merged 1 commit into
PowerShell:masterfrom
andyleejordan:andschwa/verify-after-esrp-sign
May 20, 2026
Merged

Verify Apple codesign immediately after ESRP signing#27486
daxian-dbw merged 1 commit into
PowerShell:masterfrom
andyleejordan:andschwa/verify-after-esrp-sign

Conversation

@andyleejordan
Copy link
Copy Markdown
Member

@andyleejordan andyleejordan commented May 20, 2026
edited
Loading

PR Summary

Add an equivalent of codesign --verify --deep --strict step in the Sign_macOS_* jobs immediately after expanding the zip returned by ESRP. This is similar to the verification already run downstream in mac-package-build.yml, but running it inside the sign job means we fail fast in the producing pipeline instead of discovering the problem later in packaging. And it uses PowerShell to just look at the files so it can run on Windows.

Motivation

In a release build, the Sign_macOS_x64 job's ESRP submission returned statusCode: pass with "1 files signed successfully!", but the returned zip contained byte-identical Mach-O entries with no Developer ID Application signature applied. ESRP silently no-op'd. The failure only surfaced in the downstream packaging pipeline's verify step (added in #27347), one stage later, after we had already published the bad drop_macos_sign_x64 artifact.

Running the same verify here surfaces this class of silent ESRP no-op in the job that owns the signing, so:

  • The signing job — not packaging — is what goes red, pointing the on-call directly at ESRP.
  • The bad drop_macos_sign_* artifact is never published.
  • Re-running just the failed sign job is sufficient to recover.

PR Context

Defense-in-depth follow-up to #27347.

PR Checklist

  • PR has a meaningful title
  • Summarized changes
  • Make sure all .h, .cpp, .cs, .ps1 and .psm1 files have the correct copyright header — N/A (pipeline YAML)
  • This PR is ready to merge and is not work in progress
    • Breaking changes
      • None
  • User-facing changes — None
  • Documentation needed — N/A
  • Tests — verified by next pipeline run

[Job-specific change to .pipelines/templates/mac.yml only]

@andyleejordan andyleejordan requested a review from jshigetomi as a code owner May 20, 2026 17:50
Copilot AI review requested due to automatic review settings May 20, 2026 17:50
@andyleejordan andyleejordan requested a review from a team as a code owner May 20, 2026 17:50
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fail fast on macOS ESRP “successful but unsigned output” cases by verifying Apple code signatures immediately after expanding the ESRP-returned zip in the Sign_macOS_* jobs, mirroring the verification already performed later in mac-package-build.yml.

Changes:

  • Add a codesign --verify --deep --strict verification loop over pwsh and *.dylib in .pipelines/templates/mac.yml right after expanding the ESRP-signed zip.

Comment thread .pipelines/templates/mac.yml
@andyleejordan andyleejordan added OS-macOS CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log Compliance Related to compliance requirements labels May 20, 2026
@andyleejordan andyleejordan marked this pull request as draft May 20, 2026 18:17
@andyleejordan
Verify Developer ID signature after ESRP on macOS sign jobs
d7c0ee0 
The Sign_macOS_* jobs run on a Windows pool, so we cannot call
`codesign`. Scan each Mach-O for the certificate-subject string
`Developer ID Application: Microsoft Corporation` that ESRP embeds
into the CMS signature blob; if it is absent, ESRP did not actually
sign the file and we fail the job. This catches silent ESRP no-ops
(statusCode=pass with byte-identical output) in the job that owns
the signing rather than one stage later in packaging.

Co-authored-by: Copilot <[email protected]>
@andyleejordan andyleejordan force-pushed the andschwa/verify-after-esrp-sign branch from 69e866f to d7c0ee0 Compare May 20, 2026 18:38
@andyleejordan andyleejordan marked this pull request as ready for review May 20, 2026 20:13
@andyleejordan
Copy link
Copy Markdown
Member Author

andyleejordan commented May 20, 2026
edited
Loading

Updated to work on Windows. I hand checked the script:

> cat ./verify-step.ps1
param([string]$signedDir)
$expected = 'Developer ID Application: Microsoft Corporation'
$missing = @()
Get-ChildItem $signedDir -Recurse -Include 'pwsh', '*.dylib' | ForEach-Object {
  $bytes = [System.IO.File]::ReadAllBytes($_.FullName)
  $text = [System.Text.Encoding]::Latin1.GetString($bytes)
  if (-not $text.Contains($expected)) {
    $missing += $_.FullName
    Write-Host "##[error]Missing '$expected' signature in $($_.FullName)"
  } else {
    Write-Host "OK: $($_.FullName)"
  }
}
if ($missing.Count -gt 0) {
  throw "ESRP did not apply a Developer ID signature to $($missing.Count) file(s): $($missing -join ', ')"
}

> ./verify-step.ps1 /tmp/sign76out/
OK: /tmp/sign76out/drop_macos_sign_x64/Signed-x64/libcoreclr.dylib
OK: /tmp/sign76out/drop_macos_sign_x64/Signed-x64/libpsl-native.dylib
OK: /tmp/sign76out/drop_macos_sign_x64/Signed-x64/libSystem.Native.dylib

> ./verify-step.ps1 /tmp/sign74out/
##[error]Missing 'Developer ID Application: Microsoft Corporation' signature in /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libcoreclr.dylib
##[error]Missing 'Developer ID Application: Microsoft Corporation' signature in /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libpsl-native.dylib
##[error]Missing 'Developer ID Application: Microsoft Corporation' signature in /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libSystem.Native.dylib
##[error]Missing 'Developer ID Application: Microsoft Corporation' signature in /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libSystem.Security.Cryptography.Native.OpenSsl.dylib
##[error]Missing 'Developer ID Application: Microsoft Corporation' signature in /tmp/sign74out/drop_macos_sign_x64/Signed-x64/pwsh
Exception: /private/tmp/verify-step.ps1:15
Line |
  15 |    throw "ESRP did not apply a Developer ID signature to $($missing.Co …
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | ESRP did not apply a Developer ID signature to 5 file(s):
     | /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libcoreclr.dylib,
     | /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libpsl-native.dylib,
     | /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libSystem.Native.dylib,
     | /tmp/sign74out/drop_macos_sign_x64/Signed-x64/libSystem.Security.Cryptography.Native.OpenSsl.dylib,
     | /tmp/sign74out/drop_macos_sign_x64/Signed-x64/pwsh

@daxian-dbw daxian-dbw merged commit 5e6ecd3 into PowerShell:master May 20, 2026
36 checks passed
@andyleejordan andyleejordan deleted the andschwa/verify-after-esrp-sign branch May 21, 2026 01:06
@SeeminglyScience SeeminglyScience mentioned this pull request May 28, 2026
Merged
9 tasks
@SeeminglyScience SeeminglyScience mentioned this pull request May 28, 2026
Merged
9 tasks
@SeeminglyScience SeeminglyScience mentioned this pull request May 28, 2026
Merged
9 tasks
JustinGrote pushed a commit to JustinGrote/PowerShell that referenced this pull request Jun 2, 2026
@andyleejordan @JustinGrote
Verify Apple codesign immediately after ESRP signing (PowerShell#27486)
c362485
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@daxian-dbw daxian-dbw daxian-dbw approved these changes

@jshigetomi jshigetomi Awaiting requested review from jshigetomi jshigetomi is a code owner

@adityapatwardhan adityapatwardhan Awaiting requested review from adityapatwardhan

Assignees

No one assigned

Labels

Backport-7.4.x-Migrated Backport-7.5.x-Migrated Backport-7.6.x-Migrated CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log Compliance Related to compliance requirements OS-macOS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@andyleejordan @daxian-dbw @adityapatwardhan @SeeminglyScience