Skip to content

[release/v7.5.7] Add macOS binary code signing and package notarization#27467

Open
adityapatwardhan wants to merge 2 commits into
PowerShell:release/v7.5.7from
adityapatwardhan:backport-27347
Open

[release/v7.5.7] Add macOS binary code signing and package notarization#27467
adityapatwardhan wants to merge 2 commits into
PowerShell:release/v7.5.7from
adityapatwardhan:backport-27347

Conversation

@adityapatwardhan
Copy link
Copy Markdown
Member

@adityapatwardhan adityapatwardhan commented May 17, 2026

Backport of #27347 to release/v7.5.7

Triggered by @adityapatwardhan on behalf of @andyleejordan

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Adds appLicensing capability to Appx manifest for improved packaging.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

No new tests required; change validated by successful build and Appx manifest inspection.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

This change only adds a capability to the Appx manifest and does not affect runtime behavior.

andyleejordan and others added 2 commits May 17, 2026 11:47
@andyleejordan @adityapatwardhan
Add macOS binary code signing and package notarization
dded6b1 
We still need to apply the template signing so that Guardian tasks pass
and so that script files are signed. After doing what's essentially
Windows signing, we sign and harden the binaries for macOS. Then we do
the same for the PKG installer, and finally notarize it. The ESRP
signing service requires a zip of files for Apple signing at all stages.
Now that we can use it via the OneBranch signing task we no longer need
the service connection or variable group that was trying to set it up.
Notarization requires the BundleId from Get-MacOSPackageIdentifierInfo.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@andyleejordan @adityapatwardhan
Apply macOS entitlements to pwsh
683f172 
Uses codesign in the macOS build step to apply entitlements from a plist.
This is required for the hardened runtime (which is required for notarization).

See: https://learn.microsoft.com/en-us/dotnet/core/install/macos-notarization-issues#default-entitlements

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 17, 2026 18:48
@adityapatwardhan adityapatwardhan requested a review from a team as a code owner May 17, 2026 18:48
@adityapatwardhan adityapatwardhan changed the title Backport 27347 [release/v7.5.7] Add macOS binary code signing and package notarization May 17, 2026
@adityapatwardhan adityapatwardhan added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label May 17, 2026
Copilot AI reviewed May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Backport of #27347 to release/v7.5.7. Adds macOS Mach-O binary code signing (with hardened runtime entitlements), Apple ESRP signing of the build output, and notarization of the PKG installer; also exports Get-MacOSPackageIdentifierInfo so the BundleId can be passed to the notarization step.

Changes:

  • Apply local ad-hoc codesign with hardened runtime + entitlements plist to pwsh during build; add a new assets/macos-entitlements.plist.
  • Add OneBranch Apple ESRP signing of Mach-O binaries (zip/sign/unzip) and PKG notarization steps using CP-401337-Apple; remove the old mscodehub-macos-package-signing variable group / $(KeyCode) indirection.
  • Export Get-MacOSPackageIdentifierInfo from packaging.psd1 and use it to surface BundleId as a pipeline output consumed by the notarization job; rework PKG expand/move logic to handle ESRP's nested .zip.unzipped layout.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
assets/macos-entitlements.plist New entitlements plist enabling JIT, unsigned exec memory, dyld env vars, library validation disable — required for hardened runtime / notarization.
tools/packaging/packaging.psd1 Exports Get-MacOSPackageIdentifierInfo so it's callable from the pipeline.
.pipelines/templates/mac.yml Adds entitlement codesign step in build job and post-sign Apple ESRP signing of Mach-O binaries via zip/sign/expand.
.pipelines/templates/mac-package-build.yml Adds Apple signature verification, computes BundleId, removes variable-group/KeyCode indirection, adds notarize task, and restructures PKG extraction for ESRP's nested zip layout.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adityapatwardhan @andyleejordan