Skip to content

[release/v7.5.8] Verify Apple codesign immediately after ESRP signing#27541

Merged
SeeminglyScience merged 1 commit into
PowerShell:release/v7.5.8from
SeeminglyScience:backport/release/v7.5.8/27486-5e6ecd370
May 28, 2026
Merged

[release/v7.5.8] Verify Apple codesign immediately after ESRP signing#27541
SeeminglyScience merged 1 commit into
PowerShell:release/v7.5.8from
SeeminglyScience:backport/release/v7.5.8/27486-5e6ecd370

Conversation

@SeeminglyScience
Copy link
Copy Markdown
Contributor

@SeeminglyScience SeeminglyScience commented May 28, 2026

Backport of #27486 to release/v7.5.8

Triggered by @SeeminglyScience on behalf of @andyleejordan

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Adds codesign --verify --deep --strict verification immediately after ESRP signing in Sign_macOS_* pipeline jobs. This ensures silent ESRP no-ops are caught in the signing job itself rather than discovered later in packaging, preventing publication of bad signed artifacts.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

Verified by next pipeline run. This is a pipeline YAML-only change adding a defensive verification step — no unit tests apply. The original change was validated during a release build where ESRP silently no-op'd; this check would have caught it at the sign stage.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

Pipeline YAML only — no runtime code changes. The added step is read-only verification (codesign --verify) that fails fast rather than publishing a bad artifact. No customer-facing behavior is affected.

Copilot AI review requested due to automatic review settings May 28, 2026 18:40
@SeeminglyScience SeeminglyScience requested a review from a team as a code owner May 28, 2026 18:40
@SeeminglyScience SeeminglyScience added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backport of #27486 to release/v7.5.8 that adds a post-ESRP verification step in the macOS signing jobs to detect silent ESRP no-ops by scanning signed Mach-O binaries for the expected "Developer ID Application: Microsoft Corporation" string, failing the job if any are missing.

Changes:

  • Adds a PowerShell verification step in Sign_macOS_* jobs immediately after ESRP zip expansion.
  • Fails fast on missing Developer ID signatures so bad signed artifacts are never published.

@SeeminglyScience SeeminglyScience merged commit c3fb5fa into PowerShell:release/v7.5.8 May 28, 2026
35 checks passed
@SeeminglyScience SeeminglyScience deleted the backport/release/v7.5.8/27486-5e6ecd370 branch May 29, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adityapatwardhan adityapatwardhan adityapatwardhan approved these changes

Assignees

No one assigned

Labels

CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SeeminglyScience @adityapatwardhan @andyleejordan