Skip to content

[release/v7.6.3] Verify Apple codesign immediately after ESRP signing#27542

Merged
SeeminglyScience merged 1 commit into
PowerShell:release/v7.6.3from
SeeminglyScience:backport/release/v7.6.3/27486-5e6ecd370
May 28, 2026
Merged

[release/v7.6.3] Verify Apple codesign immediately after ESRP signing#27542
SeeminglyScience merged 1 commit into
PowerShell:release/v7.6.3from
SeeminglyScience:backport/release/v7.6.3/27486-5e6ecd370

Conversation

@SeeminglyScience
Copy link
Copy Markdown
Contributor

@SeeminglyScience SeeminglyScience commented May 28, 2026

Backport of #27486 to release/v7.6.3

Triggered by @SeeminglyScience on behalf of @andyleejordan

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Adds codesign --verify --deep --strict verification immediately after ESRP signing in Sign_macOS_* pipeline jobs. This ensures silent ESRP no-ops are caught in the signing job itself rather than discovered later in packaging, preventing publication of bad signed artifacts.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

Verified by next pipeline run. This is a pipeline YAML-only change adding a defensive verification step — no unit tests apply. The original change was validated during a release build where ESRP silently no-op'd; this check would have caught it at the sign stage.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

Pipeline YAML only — no runtime code changes. The added step is read-only verification (codesign --verify) that fails fast rather than publishing a bad artifact. No customer-facing behavior is affected.

Copilot AI review requested due to automatic review settings May 28, 2026 18:43
@SeeminglyScience SeeminglyScience requested review from a team and jshigetomi as code owners May 28, 2026 18:43
@SeeminglyScience SeeminglyScience added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backport of #27486 to release/v7.6.3. Adds a verification step after ESRP signing in the macOS sign jobs to detect silent no-ops by checking that signed Mach-O binaries contain the expected Developer ID Application signature string, failing the signing job rather than discovering the issue later in packaging.

Changes:

  • Adds a PowerShell verification step in Sign_macOS_* jobs that scans pwsh and *.dylib files for the expected Developer ID signature string and throws if missing.

@SeeminglyScience SeeminglyScience merged commit 98b3e1d into PowerShell:release/v7.6.3 May 28, 2026
35 checks passed
@SeeminglyScience SeeminglyScience deleted the backport/release/v7.6.3/27486-5e6ecd370 branch May 29, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adityapatwardhan adityapatwardhan adityapatwardhan approved these changes

@jshigetomi jshigetomi Awaiting requested review from jshigetomi jshigetomi is a code owner

Assignees

No one assigned

Labels

CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SeeminglyScience @adityapatwardhan @andyleejordan