Add macOS code signing and notarization via ESRP#335
Merged
Conversation
Wire up EsrpCodeSigning@5 in Mac.Build.Job.yml to sign the mxc-exec-mac binary with Microsoft's Developer ID Application certificate (CP-401337-Apple) and submit it to Apple's notary service during official builds. Changes: - Add isOfficialBuild and ESRPInfo parameters to Mac.Build.Job.yml - Add MacAppDeveloperSign step with hardened runtime (--options=runtime) - Add MacAppNotarize step with bundle ID com.microsoft.mxc - Update 1ES.Build.yml to pass ESRPInfo and isOfficialBuild to the Mac template (mirroring the Rust.Build.Job.yml pattern) Both steps are conditioned on isOfficialBuild=true so PR validation builds continue to skip signing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds macOS release-pipeline support for signing and notarizing the mxc-exec-mac binary via ESRP, aligning the macOS build flow with existing “official build” signing patterns used for other platforms.
Changes:
- Introduces
isOfficialBuild+ESRPInfoparameters to the macOS build job template. - Adds ESRP
EsrpCodeSigning@5steps to Developer ID sign (hardened runtime) and notarize the macOS binary on official builds only. - Updates
1ES.Build.ymlto passisOfficialBuild/ESRPInfointo the macOS build template.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .azure-pipelines/templates/Mac.Build.Job.yml | Adds ESRP-based macOS codesign + notarization steps gated on official builds. |
| .azure-pipelines/1ES.Build.yml | Passes official-build and ESRP parameters into the macOS build template. |
- Gate signing and notarization steps with and(succeeded(), ...) to prevent running on failed builds - Add YAML comment explaining why stapling is intentionally omitted (Apple does not support stapling standalone Mach-O binaries) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Update the pipeline to implement the complete Apple signing workflow per PRSS guidelines: 1. Fetch Developer ID cert from Azure Key Vault 2. Import into temporary keychain on macOS agent 3. Codesign binary with Developer ID + entitlements 4. ESRP MacAppDeveloperSign (hardened runtime) 5. ESRP MacAppNotarize (Apple notary service) Additional changes: - Add AppleSigningInfo parameter (Key Vault connection, cert secrets, signing identity) - Add mac-entitlements.plist (empty — no special entitlements needed for a CLI that spawns sandboxed children via sandbox_init) - Pass AppleSigningInfo from 1ES.Build.yml to Mac template Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Based on research into Universal Print, Edge, and Teams pipelines, ESRP handles the full signing flow via CP-401337-Apple (MacAppDeveloperSign) without needing a local Developer ID cert. Removes: - Key Vault cert fetch step - Local codesign script - Notarization step (not needed for npm distribution) - mac-entitlements.plist (ESRP applies hardened runtime directly) - AppleSigningInfo parameter Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
d4b1221 to
770882a
Compare
ESRP's MacAppDeveloperSign operation requires .zip or .dmg input — raw Mach-O binaries are rejected with 'Incorrect file type used for command -z'. Wrap the binary in a zip before signing and extract it afterward. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
release test pipeline succeeded: https://microsoft.visualstudio.com/Dart/_build/results?buildId=147334867&view=results |
Add MacAppNotarize ESRP task after the existing MacAppDeveloperSign step, following the same pattern used by TypeSpec and Kiota. This submits the signed binary to Apple's notary service so Gatekeeper accepts it without the 'could not verify free of malware' warning. BundleId: com.microsoft.mxc Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
bbonaby
approved these changes
May 19, 2026
| # plumbing. The produced artifact name follows the same scheme | ||
| # (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it. | ||
| # pool (Microsoft-hosted). The produced artifact name follows the same | ||
| # scheme (mxc-binaries-<triplet>) so Package_MXC_NPM_SDK can consume it. |
Collaborator
There was a problem hiding this comment.
I think Package_MXC_NPM_SDK is now just Package_MXC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
Wire up EsrpCodeSigning@5 in Mac.Build.Job.yml to sign and notarize the
mxc-exec-macbinary with Microsoft's Developer ID Application certificate (CP-401337-Apple) during official builds.Changes
isOfficialBuildandESRPInfoparameters toMac.Build.Job.yml.zipor.dmginput)--options=runtime)com.microsoft.mxc1ES.Build.ymlto passESRPInfoandisOfficialBuildto the Mac template (mirroring theRust.Build.Job.ymlpattern)Both steps are conditioned on
isOfficialBuild=trueso PR validation builds continue to skip signing.Validation
codesign -dv --verbose=4spctl --assessreports "rejected (the code is valid but does not seem to be an app)" — expected for a standalone CLI binary (not a .app bundle); Gatekeeper passes when executed normally🔗 References
✅ Checklist
📋 Issue Type
Microsoft Reviewers: Open in CodeFlow