From d7c0ee08fe01ea429761a8534a21b0db2fb9a185 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Wed, 20 May 2026 10:49:16 -0700 Subject: [PATCH] Verify Developer ID signature after ESRP on macOS sign jobs The Sign_macOS_* jobs run on a Windows pool, so we cannot call `codesign`. Scan each Mach-O for the certificate-subject string `Developer ID Application: Microsoft Corporation` that ESRP embeds into the CMS signature blob; if it is absent, ESRP did not actually sign the file and we fail the job. This catches silent ESRP no-ops (statusCode=pass with byte-identical output) in the job that owns the signing rather than one stage later in packaging. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .pipelines/templates/mac.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.pipelines/templates/mac.yml b/.pipelines/templates/mac.yml index cd492994617..2231d668b48 100644 --- a/.pipelines/templates/mac.yml +++ b/.pipelines/templates/mac.yml @@ -184,4 +184,23 @@ jobs: Expand-Archive -Path $zipFile -DestinationPath $signedDir -Force -Verbose displayName: Expand Apple-signed Mach-O binaries into signed output + - pwsh: | + $signedDir = "$(ob_outputDirectory)/Signed-$(Runtime)" + $expected = 'Developer ID Application: Microsoft Corporation' + $missing = @() + Get-ChildItem $signedDir -Recurse -Include 'pwsh', '*.dylib' | ForEach-Object { + $bytes = [System.IO.File]::ReadAllBytes($_.FullName) + $text = [System.Text.Encoding]::Latin1.GetString($bytes) + if (-not $text.Contains($expected)) { + $missing += $_.FullName + Write-Host "##[error]Missing '$expected' signature in $($_.FullName)" + } else { + Write-Host "OK: $($_.FullName)" + } + } + if ($missing.Count -gt 0) { + throw "ESRP did not apply a Developer ID signature to $($missing.Count) file(s): $($missing -join ', ')" + } + displayName: 'Verify Developer ID signature on Mach-O binaries' + - template: /.pipelines/templates/step/finalize.yml@self