-
Notifications
You must be signed in to change notification settings - Fork 8.4k
Comparing changes
Open a pull request
base repository: PowerShell/PowerShell
base: master
head repository: PowerShell/PowerShell
compare: release/v7.9.99-preview.9
- 19 commits
- 13 files changed
- 3 contributors
Commits on Jul 7, 2026
-
Justin Chung committed
Jul 7, 2026 Configuration menu - View commit details
-
Copy full SHA for 5d9795d - Browse repository at this point
Copy the full SHA 5d9795dView commit details -
Fix 1ES POC: switch pool image to 1ES PT-compliant MMSWindows2022-g2-…
…Secure Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7e96a1b - Browse repository at this point
Copy the full SHA 7e96a1bView commit details -
Switch 1ES POC pool to Azure-Pipelines-1ESPT-ExDShared (windows-lates…
…t) so Pre-Job passes Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 80650c5 - Browse repository at this point
Copy the full SHA 80650c5View commit details -
Retarget 1ES POC at team-owned PowerShell1ES pool with MMS2022 image
The PowerShell1ES pool was migrated to the 1ES-maintained MMS2022 image (full name MMSWindows2022-1ESPT-v2) by an unmerged-but-deployed branch in PsImageFactory (PR #38413, deployed ~4 months ago). It is 1ES PT-compliant out of the box, so the previous ExDShared fallback is no longer needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9552921 - Browse repository at this point
Copy the full SHA 9552921View commit details -
Fix Guardian TSAUpload by using absolute path for sdl.tsa.configFile
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 1fa6960 - Browse repository at this point
Copy the full SHA 1fa6960View commit details -
1ES POC cleanup: drop dead pool/container vars, derive APIScan versio…
…n from branch - Remove unreferenced PoolNames variable group + LinuxContainerImage / WindowsContainerImage (zero references in the 1ES tree). - Replace hardcoded sdl.apiscan.versionNumber "7.6" with a value derived from Build.SourceBranchName at template-expansion time. Fixes silent TSA mislabelling on 7.9+ branches. - Keep ob_outputDirectory name intact (build.psm1 reads $env:OB_OUTPUTDIRECTORY). - Document each decision inline with NB comments. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for db357f4 - Browse repository at this point
Copy the full SHA db357f4View commit details -
Add 1ES PT Unofficial scaffold for PowerShell-Coordinated_Packages
Phase A of the OneBranch -> 1ES Pipeline Templates migration for the Coordinated_Packages pipeline. Builds and stubs signing end-to-end so the scaffold can be validated in ADO before ESRP signing onboarding completes. Files: .pipelines/1ES/PowerShell-Coordinated_Packages-NonOfficial.yml Entry pipeline. Extends v1/1ES.Unofficial.PipelineTemplate.yml. CodeQL enabled unconditionally (compiled + enabledOnNonDefaultBranches + tsaEnabled) so every branch -- including rebuild/* shipping branches and migration test branches -- gets coverage. Branch-gated CodeQL would miss rebuild/* releases and block validating the SDL injection plumbing without cutting a real release. Global SDL paths use $(Build.SourcesDirectory)\.config\... (NO \PowerShell\ segment) because the auto-injected SDL Sources Analysis job runs without the stage-repo helper. .pipelines/1ES/templates/stages/PowerShell-Coordinated_Packages-Stages.yml 5-stage layout: prep / macos / linux / windows / test_and_release_artifacts. .pipelines/1ES/templates/stage-repo-under-PowerShell.yml NEW helper. Copy-Items repo into a \PowerShell\ subfolder so existing scripts that hardcode $(Build.SourcesDirectory)\PowerShell\... keep working. Replaces OneBranch cloneToOfficialPath.yml (which used `git clone` -- not viable in 1ES PT where source IS the parent of dest). Hardened: ErrorAction=Stop, excludes .git, post-copy sanity check for build.psm1 / .config/tsaoptions.json / .config/suppress.json. .pipelines/1ES/templates/mac.yml macOS build (Azure Pipelines + macOS-latest + isCustom:true) plus Windows sign job (PowerShell1ES + MMS2022). Apple sign + verify stubbed. codeSignValidation disabled on sign job while signing is stubbed -- 1ES PT's separate codeSignValidation SDL check fails regardless of Update-PSSignedBuildFolder's tolerance for unsigned files in Unofficial mode. Belt-and-suspenders ##vso[artifact.upload] fallback added because templateContext.outputs on custom pools is untested in this codebase. .pipelines/1ES/templates/linux.yml Linux build (PowerShell1ES + PSMMSAzureLinux3.0-Secure) plus Windows sign job. Per-job CodeQL3000Init/Finalize tasks dropped -- 1ES PT injects them automatically from sdl.codeql config. .pipelines/1ES/templates/windows-hosted-build.yml Single Windows job (PowerShell1ES + MMS2022) that builds and signs in place. 3 signing stubs (obj 1P, nupkg, obp-file-signing dispatch). Per-job CodeQL3000 tasks dropped. .pipelines/1ES/templates/testartifacts.yml Win + nonwin test package staging. Win job passes $(PowerShellRoot) -- NOT $(RepoRoot) -- to insert-nuget-config-azfeed.yml so the private-feed nuget.config lands in the staged repo, not the un-staged root that $(RepoRoot) still points to after the stage-repo helper runs. .pipelines/1ES/templates/obp-file-signing.yml 1P + 3P signing stubbed. Folder-prep and Update-PSSignedBuildFolder invocation preserved. Header lists the 4 ESRP KeyCodes needed for unstub (CP-230012, CP-231522, CP-401405, CP-401337-Apple). Reuses these OneBranch templates unchanged: .pipelines/templates/variables/PowerShell-Coordinated_Packages-Variables.yml .pipelines/templates/SetVersionVariables.yml .pipelines/templates/set-reporoot.yml .pipelines/templates/insert-nuget-config-azfeed.yml .pipelines/templates/install-dotnet.yml .pipelines/templates/rebuild-branch-check.yml .pipelines/templates/step/finalize.yml Phase B (real ESRP signing) starts once ESRP keycode onboarding lands. Phase C forks this Unofficial scaffold to an Official sibling. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for 0da97e8 - Browse repository at this point
Copy the full SHA 0da97e8View commit details -
Fix Linux pool/image pairing in 1ES NonOfficial scaffold
Build #684757 (the first ADO build of the new 1ES scaffold) was cancelled at the prep stage with: Remote machine provider issue: Failed to request agent. Exception Image PSMMSAzureLinux3.0-Secure doesn't exist in pool PowerShell1ES Root cause: PowerShell1ES (the team-owned 1ES managed pool, id 108, 35 agents) only carries MMS2022 (Windows Server 2022). It does NOT have any Linux image deployed. The original scaffold tentatively assumed PSMMSAzureLinux3.0-Secure was present based on a partial read of the CloudTest.png inventory; build #684757 disproved that assumption. Fix: * prep/SetVars (Stages.yml) -> PowerShell1ES + MMS2022 + os: windows SetVars only runs pwsh to compute version variables; no Linux-specific tooling is required. Using the proven Windows pairing from the apiscan POC also avoids gating prep on a second pool authorization on first run. * linux.yml build job -> Azure-Pipelines-1ESPT-ExDShared + ubuntu-latest + os: linux * testartifacts.yml nonwin job -> same Azure-Pipelines-1ESPT-ExDShared is the E+D org's shared 1ES PT-managed Linux pool (24 D2ads_v5 agents, 8 GiB RAM, 75 GiB temp storage, Ubuntu 22.04 LTS with the full Microsoft-hosted dev tooling). It is the documented standard fallback per the 1ES PT migration guide. If/when a team-owned Linux image lands on PowerShell1ES (would need a PsImageFactory PR similar to the unmerged addAzureCLI PR that put MMS2022 there), swap the pool: block in 2 places: templates/linux.yml build job and templates/testartifacts.yml nonwin job. Also updates the POOL/IMAGE STRATEGY comment in the entry pipeline and drops the now-resolved "Confirm Linux pool/image mapping" TODO. All 4 modified files validated with ConvertFrom-Yaml; no stale pairing references remain in code (only in comments documenting the lesson). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for ed8737d - Browse repository at this point
Copy the full SHA ed8737dView commit details -
Switch 1ES PT Linux jobs to PowerShell1ES + PSMMSUbuntu22.04-Secure
After inspecting the PsImageFactory repo, PowerShell1ES.bicep already declares PSMMSUbuntu22.04-Secure (and PSMMSUbuntu20.04-Secure) in its images[] array. Build #684757 failed for PSMMSAzureLinux3.0-Secure specifically because that image has its own bicep but was never plumbed into the pool resource. Swap Linux jobs back to the team-owned PowerShell1ES pool using Ubuntu 22.04 so we're not dependent on the external E+D shared pool. If the next build fails the same way (Ubuntu 22 declared in bicep but deploy.ps1 was never run to push it to Azure), fall back to Azure-Pipelines-1ESPT-ExDShared + ubuntu-latest, or open a #38412-style PsImageFactory PR to plumb in PSMMSAzureLinux3.0-Secure. Affected: - .pipelines/1ES/templates/linux.yml (build job) - .pipelines/1ES/templates/testartifacts.yml (nonwin job) - .pipelines/1ES/PowerShell-Coordinated_Packages-NonOfficial.yml (POOL/IMAGE STRATEGY comment block) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for f331e58 - Browse repository at this point
Copy the full SHA f331e58View commit details -
Fix 4 root causes from 1ES NonOfficial build #685762
Cluster 1 (Linux pool): revert linux.yml + testartifacts.yml to Azure-Pipelines-1ESPT-ExDShared + ubuntu-latest. PSMMSUbuntu22.04-Secure is declared in PowerShell1ES.bicep and deployed, but the image lacks the 1es-pt-prerequisites artifact required by 1ES PT (https://aka.ms/1espt/image-prerequisites). E+D shared images ship the artifact by default. Long-term: PsImageFactory PR to add the artifact to PSMMS* images. Updated header comments to capture the lesson. Cluster 2 (Switch-PSNugetConfig): add 1ES-specific .pipelines/1ES/templates/insert-nuget-config-azfeed.yml that resets `$global:LASTEXITCODE = 0` after the call. Switch-PSNugetConfig -> New-NugetConfigFile runs `git update-index --skip-worktree` against the regenerated nuget.config. The staged repo (Copy-Item without .git) isn't a git workspace, so git fails benignly and leaves $LASTEXITCODE non-zero. pwsh 7.4+ propagates that to the process exit code -> ADO task fails despite Switch-PSNugetConfig actually completing. The `skip-worktree` is purely defensive against accidental commits, which is moot on a Copy-Item'd staging folder. Repointed 5 callsites (linux.yml, mac.yml, windows-hosted-build.yml, testartifacts.yml win + nonwin) to the 1ES wrapper. apiscan POC left on the shared template because its staging path differs. Cluster 3 (Linux nuget capture path): downstream of cluster 1; auto- resolved by the pool revert. Cluster 4 (mac.yml BuildArchitecture): line 119 referenced $(BuildArchitecture) on the BUILD job, but only the SIGN job declared the variable. Changed to template parameter substitution (${{ parameters.buildArchitecture }}) at compile time. Cleaner than mirroring the variable on the build job. All 6 modified YAML files validated with ConvertFrom-Yaml. Playbook updated with Gotchas #4, #5, #6. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a1922a6 - Browse repository at this point
Copy the full SHA a1922a6View commit details -
Revert Linux jobs to PowerShell1ES pool (C+AI org governance)
Per team policy: PowerShell is in the C+AI org and must NOT use pools owned by other orgs (e.g., E+D's Azure-Pipelines-1ESPT-ExDShared). The previous commit used that shared pool as a workaround for the missing 1es-pt-prerequisites artifact on PSMMSUbuntu22.04-Secure — that was a governance violation regardless of the convenience. Reverted linux.yml + testartifacts.yml + entry-pipeline comment block back to PowerShell1ES + PSMMSUbuntu22.04-Secure + os: linux. Updated all comments to: (a) State the governance rule explicitly (team-owned pools only). (b) Document the BLOCKER: PSMMSUbuntu22.04-Secure image build lacks the 1es-pt-prerequisites artifact required by 1ES PT (https://aka.ms/1espt/image-prerequisites). Build #685762 was rejected on this basis. (c) State the RESOLUTION path: PsImageFactory PR to bake the artifact into the PSMMSUbuntu22.04-Secure image build, then redeploy. Linux jobs of this pipeline cannot pass end-to-end until that work lands. Other fixes from the previous commit (nuget LASTEXITCODE wrapper for Windows + mac BuildArchitecture parameter substitution) are RETAINED. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for aa24b18 - Browse repository at this point
Copy the full SHA aa24b18View commit details -
Update Linux pool comment: 1es-pt-prerequisites-v2 artifact baked in
PsImageFactory rebuilt PSMMSUbuntu22.04-Secure with the linux-1es-pt-prerequisites-v2 artifact on 2026-06-09, unblocking the Linux jobs that were failing build #685762 with Using an image without 1es-pt-prerequisites artifact is not allowed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 281ee7a - Browse repository at this point
Copy the full SHA 281ee7aView commit details -
Fix 3 cross-cutting bugs from build #686007 (1ES Coordinated_Packages…
… NonOfficial) Bug #1 (Linux Stage-repo): YAML boolean `cleanFirst` parameter rendered as literal `True` in the pwsh inline script, causing `if (True -and ...)` which fails on Linux. Switched to quoted string comparison `if ('${{ parameters.cleanFirst }}' -ieq 'True')` so the value is unambiguously a string regardless of platform pwsh parser. Bug #2 (Windows wix nuget restore): the staged repo at `$(Build.SourcesDirectory)\PowerShell` was created via `Copy-Item` without `.git`. Downstream `build.psm1` calls `git clean -fdX` which treats every file as untracked-and-ignored and wipes `tools/wix/nuget.config` (matches `.gitignore:110` pattern `nuget.config`). That file declares the `dotnet-eng` feed that hosts `Microsoft.Signed.Wix`, so dotnet restore fails with NU1101. Switched the staging helper to `git worktree add --detach $dst HEAD` so the staged path is a real git workspace; tracked files are preserved by `git clean -fdX` as designed. Added the lifecycle dance (`worktree remove --force` -> conditional `Remove-Item` -> unconditional `worktree prune` -> `worktree add`) so prior aborted runs do not leave orphaned worktree registrations blocking the next run. Also added `tools/wix/nuget.config` to the required-files post-check as a canary for this whole class of bug. Bug #3 (macOS Capture VSS* flake): hosted `macOS-latest` pwsh occasionally throws `Call to 'procargs' failed with errno 5` during startup - a libproc race independent of our scripts. Added `retryCountOnTaskFailure: 2` AND `continueOnError: true` to the diagnostic Capture VSS* task: retry to maximise odds of getting useful output, continueOnError as a safety net so a hosted flake never fails an otherwise-green build on a non-load-bearing diagnostic step. Also removed the obsolete `$global:LASTEXITCODE = 0` workaround from `insert-nuget-config-azfeed.yml` - it was masking the Bug #2 root cause. With the staged path now being a real git workspace, `git update-index --skip-worktree` succeeds normally and no reset is needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 359b4a0 - Browse repository at this point
Copy the full SHA 359b4a0View commit details -
Fix 2 cross-cutting bugs from build #686027 (1ES Coordinated_Packages…
… NonOfficial) Build #686027 ran end-to-end for the first time after the Linux image and git-worktree fixes from b58362c8. It surfaced two new failure clusters, both unrelated to the prior fixes: Cluster A/B/D: ~100K StyleCop/CodeAnalysis errors across Linux build, Windows BUILD, Windows Symbols, and Linux TestArtifacts. All four failures were the same root cause: Roslyn was loading TWO .globalconfig files (parent at $(Build.SourcesDirectory)/.globalconfig from 1ES PT checkout: self, plus child at $(Build.SourcesDirectory)/PowerShell/.globalconfig from our git-worktree staging step). Per Roslyn semantics, dual global-analyzer configs with conflicting keys UNSET those keys and emit a MultipleGlobalAnalyzerKeys warning. With every SA*/CA* suppression unset, all rules fired and TreatWarningsAsErrors escalated them. Fix: in stage-repo-under-PowerShell.yml, after git worktree add succeeds, rename the parent .globalconfig to .globalconfig.disabled-by-stage-repo so Roslyn no longer auto-discovers it. Add a defensive walk-up check from a sample project to assert exactly one .globalconfig remains visible and that it is the worktree copy. Add .globalconfig to the required-files canary list. This bug does NOT manifest under OneBranch because OneBranch's checkout layout puts source and staged repo as siblings, not parent/child. It is specific to the 1ES PT "checkout: self at $(Build.SourcesDirectory) + stage into a subdirectory" pattern. Other auto-discovered files were audited: .editorconfig has root=true (walk-up stops), no Directory.Build/Packages.* exist in the repo, nuget.config uses <clear/> at the worktree root. Cluster C: macOS BUILD published `macosBinResults-${arch}` artifact twice (once via mid-job `##vso[artifact.upload]`, once via end-of-job PublishPipelineArtifact@1 auto-injected from templateContext.outputs). The second registration failed with `Artifact macosBinResults-x64 already exists for build 686027`, marking the whole job as failed. The mid-job upload was added as a "belt-and-suspenders fallback" under the (incorrect) assumption that ADO tolerates duplicate artifact names; it does not. Fix: remove the mid-job `##vso[artifact.upload]` from mac.yml. Keep templateContext.outputs.pipelineArtifact as the single publish mechanism. Playbook updated with Gotchas #11 (dual .globalconfig conflict) and #12 (duplicate artifact registration). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for 1323c7e - Browse repository at this point
Copy the full SHA 1323c7eView commit details -
Fix Linux dotfile regression from build #686043 (stage-repo assertion)
Build #686043 demonstrated both prior fixes (parent .globalconfig rename and mac.yml artifact de-duplication) worked: macOS and Windows jobs all passed, SDL succeeded, and the SA*/CA* analyzer firehose was gone. But all 9 Linux build jobs (and Linux test artifacts) failed in the new defensive walk-up assertion at stage-repo-under-PowerShell.yml:183 with: Get-Item: Could not find item /mnt/vss/_work/1/s/PowerShell/.globalconfig even though the previous line's Test-Path returned True for the same path. Root cause: on Linux, .NET marks any file with a leading "." as Hidden in FileSystemInfo.Attributes (POSIX convention). PowerShell's FileSystemProvider filters those out of Get-Item/Get-ChildItem by default; -Force disables the filter. Test-Path doesn't consult Attributes, so it always saw the dotfile. macOS .NET does NOT flag dotfiles as Hidden, which is why macOS passed the same code path. Fix: - Get-Item (Join-Path $dst '.globalconfig') -> Get-Item -LiteralPath (Join-Path $dst '.globalconfig') -Force (Adopts rubber-duck recommendation: -LiteralPath also avoids wildcard ambiguity for paths containing [ ] *.) - Cosmetic: displayName changed from "$(Build.SourcesDirectory)\PowerShell" to "$(Build.SourcesDirectory)/PowerShell" so the Linux log no longer reads "Stage repo into /mnt/vss/_work/1/s\PowerShell" (mixed separators). Playbook updated with Gotcha #13 (Linux dotfile Get-Item behaviour) and a new decision-tree row for "Get-Item: Could not find item /...<dotfile>". Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 2b24686 - Browse repository at this point
Copy the full SHA 2b24686View commit details -
1ES PT: SDL path overrides use forward slashes on Linux/macOS jobs
Build #686056 ran 24 of 25 jobs successfully — the dotfile Get-Item fix from cdb732234 worked perfectly. The only failure was the auto-injected "Guardian: CredScan (Binary)" SDL task in the Linux "Build non-windows test artifacts" job, which failed with: [ERROR] [Invalid Argument] SuppressionsPath: Invalid file path list. File not found - /mnt/vss/_work/1/s\.config\suppress.csk GuardianErrorExitCodeException: credscan completed with exit code 24 Root cause: the entry pipeline's PIPELINE-LEVEL sdl block uses Windows backslash paths ("$(Build.SourcesDirectory)\.config\suppress.json"). On Windows .NET, backslash AND forward slash both work as path separators, so the auto-injected SDL Sources Analysis (self) job — running on a Windows-default agent — passed. On Linux .NET, backslash is a LITERAL character, not a separator. The path resolves to "/mnt/vss/_work/1/s\.config\suppress.json" which the Guardian CLI's file-existence check rejects. The Linux BUILD jobs passed because linux.yml:64-66 already overrides sdl.tsa.configFile + sdl.credscan.suppressionsFile with forward-slash paths under PowerShellRoot. The Linux SIGN jobs and macOS SIGN jobs also had backslash overrides BUT passed by luck — 1ES PT does not inject Binary Analysis CredScan into sign-only jobs (they get CodeSignValidation only). The non-windows testartifacts job is the one job that (a) runs on os: linux AND (b) gets BinaryAnalysis CredScan injected AND (c) did not override the inherited backslash paths. Fix: - testartifacts.yml non-win job: add per-job sdl.tsa.configFile + sdl.credscan.suppressionsFile overrides with forward-slash paths under $(Build.SourcesDirectory)/PowerShell/.config/ (REQUIRED fix — unblocks the failing job). - linux.yml sign job (lines 185, 187): convert backslashes to forward slashes (DEFENSIVE — passing today only because CredScan isn't injected into sign jobs, would break if 1ES PT injection rules change). - mac.yml sign job (lines 153, 155): same defensive cleanup. NOT changed: - Pipeline-level (entry pipeline) sdl paths — still backslash, working fine for SDL Sources Analysis (self) which runs on Windows. Switching them to forward slashes is also safe (Windows accepts both), but out of scope; not changing what's working. - Windows-only job sdl paths (windows-hosted-build.yml, testartifacts.yml win job) — backslash is fine on Windows. Validated all 3 files via ConvertFrom-Yaml. Playbook (<session>/files/onebranch-to-1es-migration.md) — added Gotcha #14 (SDL paths on Linux/macOS) with watch-list of all templateContext.sdl.* overrides and a decision-tree row. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for 314f48a - Browse repository at this point
Copy the full SHA 314f48aView commit details -
Add ESRP test-signing siblings to 3 of 5 signing sites (hybrid stub/r…
…eal-task gate) Wire MS-Sign Test KeyCodes (CP-466277 for 1P, CP-466279 for 3P) into the 1ES Unofficial pipeline so the EsrpCodeSigning@5 task path can be exercised before full AME-onboarded PROD signing is available. Design: sibling-condition gate using the runtime variable EsrpTestConnectionName. Each modified signing site has two sibling steps: - Existing Write-Host stub, condition: eq(variables['EsrpTestConnectionName'], '') - New EsrpCodeSigning@5 task, condition: ne(variables['EsrpTestConnectionName'], '') In ADO expression syntax, variables['UndefinedVar'] evaluates to empty string, so the default behavior (no variable group attached) preserves the green baseline -- only stubs run. Attaching a variable group named EsrpSigningTest-PowerShell with 6 keys (EsrpTestConnectionName, EsrpTestAppRegClientId, EsrpTestAppRegTenantId, EsrpTestAuthAkvName, EsrpTestAuthCertName, EsrpTestAuthSignCertName) flips every modified site to real signing. Sites modified (3): - .pipelines/1ES/templates/obp-file-signing.yml site 1: 1P Authenticode, CP-466277 - .pipelines/1ES/templates/obp-file-signing.yml site 2: 3P Authenticode, CP-466279 - .pipelines/1ES/templates/windows-hosted-build.yml obj files: 1P Authenticode, CP-466277 Sites that STAY STUBBED (2): - windows-hosted-build.yml nupkg files: no NuGet-compatible test KeyCode available (NuGetSign operation cannot reuse Authenticode codes) - mac.yml Apple Mach-O CodeSign: no Apple test KeyCode available (MacAppDeveloperSign operation, entirely different cert chain) Header comment updates: - PowerShell-Coordinated_Packages-NonOfficial.yml entry pipeline: documents the 6 variable-group keys, KeyCode mapping table, PROD swap path, and the predicate caveat (test-signed files round-trip through both 1P and 3P paths in obp-file-signing.yml -- by design, do not fix) - obp-file-signing.yml: hybrid stub/test-signing mode documentation - windows-hosted-build.yml: per-site mode documentation All 3 modified YAML files validated via ConvertFrom-Yaml. Safe to push to the green rebuild/v7.9.99-rebuild.9 branch: default condition runs stubs (current green baseline preserved); test signing is opt-in by attaching the variable group at queue time. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>Configuration menu - View commit details
-
Copy full SHA for 4fae525 - Browse repository at this point
Copy the full SHA 4fae525View commit details -
Configuration menu - View commit details
-
Copy full SHA for b8f6ec6 - Browse repository at this point
Copy the full SHA b8f6ec6View commit details -
Wire Official 1ES ESRP signing to MI/WIF auth (UseMSIAuthentication)
The 5 production EsrpCodeSigning@5 blocks referenced AuthCertName: $(EsrpProdAuthCertName) - a separate authentication cert that was never provisioned. Our ESRP setup uses the ESRP-Signing-Identity managed identity over the PowerShell-ESRP-Release WIF connection, with only the request-signing cert (esrp-auth-sign) in pscoresignprod-kv. Replace AuthCertName with UseMSIAuthentication: true across all Official signing sites (1P CP-230012, 3P CP-231522, NuGet CP-401405, Apple CP-401337-Apple) so the MI's AAD token proves identity to ESRP. Drop EsrpProdAuthCertName from the Official entry-file variable-group doc. Test/stub blocks (EsrpTest*) unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ecfb4f0 - Browse repository at this point
Copy the full SHA ecfb4f0View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff master...release/v7.9.99-preview.9