Skip to content

Add macOS code signing and notarization via ESRP#335

Merged
richiemsft merged 10 commits into
mainfrom
user/saulg/signMacOsBin
May 19, 2026
Merged

Add macOS code signing and notarization via ESRP#335
richiemsft merged 10 commits into
mainfrom
user/saulg/signMacOsBin

Conversation

@richiemsft

@richiemsft richiemsft commented May 18, 2026

Copy link
Copy Markdown
Contributor

📖 Description

Wire up EsrpCodeSigning@5 in Mac.Build.Job.yml to sign and notarize the mxc-exec-mac binary with Microsoft's Developer ID Application certificate (CP-401337-Apple) during official builds.

Changes

  • Add isOfficialBuild and ESRPInfo parameters to Mac.Build.Job.yml
  • Zip the binary before signing (ESRP Mac signing requires .zip or .dmg input)
  • Add MacAppDeveloperSign step with hardened runtime (--options=runtime)
  • Add MacAppNotarize step with bundle ID com.microsoft.mxc
  • Unzip signed/notarized binary back for publishing
  • Update 1ES.Build.yml to pass ESRPInfo and isOfficialBuild to the Mac template (mirroring the Rust.Build.Job.yml pattern)

Both steps are conditioned on isOfficialBuild=true so PR validation builds continue to skip signing.

Validation

  • ✅ Pipeline succeeded with signing + notarization
  • ✅ Downloaded artifact and verified signature: codesign -dv --verbose=4
  • ✅ Verified notarization: spctl --assess reports "rejected (the code is valid but does not seem to be an app)" — expected for a standalone CLI binary (not a .app bundle); Gatekeeper passes when executed normally
  • ✅ Ran example tests against the signed binary successfully

🔗 References

✅ Checklist

📋 Issue Type

  • Feature
Microsoft Reviewers: Open in CodeFlow

Wire up EsrpCodeSigning@5 in Mac.Build.Job.yml to sign the
mxc-exec-mac binary with Microsoft's Developer ID Application
certificate (CP-401337-Apple) and submit it to Apple's notary
service during official builds.

Changes:
- Add isOfficialBuild and ESRPInfo parameters to Mac.Build.Job.yml
- Add MacAppDeveloperSign step with hardened runtime (--options=runtime)
- Add MacAppNotarize step with bundle ID com.microsoft.mxc
- Update 1ES.Build.yml to pass ESRPInfo and isOfficialBuild to the
  Mac template (mirroring the Rust.Build.Job.yml pattern)

Both steps are conditioned on isOfficialBuild=true so PR validation
builds continue to skip signing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 18, 2026 16:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds macOS release-pipeline support for signing and notarizing the mxc-exec-mac binary via ESRP, aligning the macOS build flow with existing “official build” signing patterns used for other platforms.

Changes:

  • Introduces isOfficialBuild + ESRPInfo parameters to the macOS build job template.
  • Adds ESRP EsrpCodeSigning@5 steps to Developer ID sign (hardened runtime) and notarize the macOS binary on official builds only.
  • Updates 1ES.Build.yml to pass isOfficialBuild/ESRPInfo into the macOS build template.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.azure-pipelines/templates/Mac.Build.Job.yml Adds ESRP-based macOS codesign + notarization steps gated on official builds.
.azure-pipelines/1ES.Build.yml Passes official-build and ESRP parameters into the macOS build template.

Comment thread .azure-pipelines/templates/Mac.Build.Job.yml Outdated
Comment thread .azure-pipelines/templates/Mac.Build.Job.yml
Comment thread .azure-pipelines/templates/Mac.Build.Job.yml
Richie Gomez and others added 3 commits May 18, 2026 10:13
- Gate signing and notarization steps with and(succeeded(), ...) to
  prevent running on failed builds
- Add YAML comment explaining why stapling is intentionally omitted
  (Apple does not support stapling standalone Mach-O binaries)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update the pipeline to implement the complete Apple signing workflow
per PRSS guidelines:

1. Fetch Developer ID cert from Azure Key Vault
2. Import into temporary keychain on macOS agent
3. Codesign binary with Developer ID + entitlements
4. ESRP MacAppDeveloperSign (hardened runtime)
5. ESRP MacAppNotarize (Apple notary service)

Additional changes:
- Add AppleSigningInfo parameter (Key Vault connection, cert secrets,
  signing identity)
- Add mac-entitlements.plist (empty — no special entitlements needed
  for a CLI that spawns sandboxed children via sandbox_init)
- Pass AppleSigningInfo from 1ES.Build.yml to Mac template

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft richiemsft marked this pull request as ready for review May 18, 2026 18:51
@richiemsft richiemsft marked this pull request as draft May 18, 2026 18:51
Based on research into Universal Print, Edge, and Teams pipelines,
ESRP handles the full signing flow via CP-401337-Apple (MacAppDeveloperSign)
without needing a local Developer ID cert. Removes:
- Key Vault cert fetch step
- Local codesign script
- Notarization step (not needed for npm distribution)
- mac-entitlements.plist (ESRP applies hardened runtime directly)
- AppleSigningInfo parameter

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft richiemsft force-pushed the user/saulg/signMacOsBin branch from d4b1221 to 770882a Compare May 19, 2026 16:19
ESRP's MacAppDeveloperSign operation requires .zip or .dmg input —
raw Mach-O binaries are rejected with 'Incorrect file type used for
command -z'. Wrap the binary in a zip before signing and extract it
afterward.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft

Copy link
Copy Markdown
Contributor Author

Richie Gomez and others added 2 commits May 19, 2026 10:20
Add MacAppNotarize ESRP task after the existing MacAppDeveloperSign step,
following the same pattern used by TypeSpec and Kiota. This submits the
signed binary to Apple's notary service so Gatekeeper accepts it without
the 'could not verify free of malware' warning.

BundleId: com.microsoft.mxc

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft richiemsft marked this pull request as ready for review May 19, 2026 17:44
Richie Gomez and others added 2 commits May 19, 2026 13:25
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
# plumbing. The produced artifact name follows the same scheme
# (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it.
# pool (Microsoft-hosted). The produced artifact name follows the same
# scheme (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Package_MXC_NPM_SDK is now just Package_MXC

@richiemsft richiemsft merged commit f1b455b into main May 19, 2026
18 checks passed
@richiemsft richiemsft deleted the user/saulg/signMacOsBin branch May 19, 2026 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants