Skip to content

[release/v7.4.17] Verify Apple codesign immediately after ESRP signing#27540

Merged
SeeminglyScience merged 1 commit into
PowerShell:release/v7.4.17from
SeeminglyScience:backport/release/v7.4.17/27486-5e6ecd370
May 28, 2026
Merged

[release/v7.4.17] Verify Apple codesign immediately after ESRP signing#27540
SeeminglyScience merged 1 commit into
PowerShell:release/v7.4.17from
SeeminglyScience:backport/release/v7.4.17/27486-5e6ecd370

Conversation

@SeeminglyScience
Copy link
Copy Markdown
Contributor

@SeeminglyScience SeeminglyScience commented May 28, 2026

Backport of #27486 to release/v7.4.17

Triggered by @SeeminglyScience on behalf of @andyleejordan

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Adds codesign --verify --deep --strict verification immediately after ESRP signing in Sign_macOS_* pipeline jobs. This ensures silent ESRP no-ops are caught in the signing job itself rather than discovered later in packaging, preventing publication of bad signed artifacts.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

Verified by next pipeline run. This is a pipeline YAML-only change adding a defensive verification step — no unit tests apply. The original change was validated during a release build where ESRP silently no-op'd; this check would have caught it at the sign stage.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

Pipeline YAML only — no runtime code changes. The added step is read-only verification (codesign --verify) that fails fast rather than publishing a bad artifact. No customer-facing behavior is affected.

@SeeminglyScience SeeminglyScience requested a review from a team as a code owner May 28, 2026 18:38
Copilot AI review requested due to automatic review settings May 28, 2026 18:38
@SeeminglyScience SeeminglyScience added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@SeeminglyScience SeeminglyScience merged commit 28d9c37 into PowerShell:release/v7.4.17 May 28, 2026
36 checks passed
@SeeminglyScience SeeminglyScience deleted the backport/release/v7.4.17/27486-5e6ecd370 branch May 29, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adityapatwardhan adityapatwardhan adityapatwardhan approved these changes

Assignees

No one assigned

Labels

CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SeeminglyScience @adityapatwardhan @andyleejordan