Skip to content

[release/v7.6.2] Add macOS binary code signing and package notarization#27434

Merged
daxian-dbw merged 1 commit into
PowerShell:release/v7.6.2from
daxian-dbw:backport/release/v7.6.2/27347-b9bd8cbc5
May 13, 2026
Merged

[release/v7.6.2] Add macOS binary code signing and package notarization#27434
daxian-dbw merged 1 commit into
PowerShell:release/v7.6.2from
daxian-dbw:backport/release/v7.6.2/27347-b9bd8cbc5

Conversation

@daxian-dbw
Copy link
Copy Markdown
Member

@daxian-dbw daxian-dbw commented May 13, 2026

Backport of #27347 to release/v7.6.2

Triggered by @daxian-dbw on behalf of @andyleejordan

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Adds Apple notarization for macOS packages: signs and hardens binaries using ESRP/OneBranch signing tasks, notarizes the PKG installer, and applies entitlements required for the hardened runtime.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

Verified via the original PR. The signing and notarization flow was validated interactively. No automated tests added as this can only be tested through the full pipeline run.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

Significant pipeline changes to add Apple notarization support, but all changes are confined to build/signing pipeline templates and tooling. No runtime code changes.

@andyleejordan @daxian-dbw
Apply macOS entitlements to pwsh
6e33e79 
Uses codesign in the macOS build step to apply entitlements from a plist.
This is required for the hardened runtime (which is required for notarization).

See: https://learn.microsoft.com/en-us/dotnet/core/install/macos-notarization-issues#default-entitlements

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 13, 2026 20:33
@daxian-dbw daxian-dbw requested review from a team and jshigetomi as code owners May 13, 2026 20:33
@daxian-dbw daxian-dbw added the CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log label May 13, 2026
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR (backport of #27347) starts introducing macOS hardened runtime preparation by adding an entitlements plist and applying those entitlements to the built pwsh binary in the macOS build pipeline via codesign.

Changes:

  • Add a new assets/macos-entitlements.plist entitlements file intended for hardened runtime.
  • Update .pipelines/templates/mac.yml to run codesign on the built pwsh with --options runtime and the new entitlements.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
assets/macos-entitlements.plist Introduces an entitlements plist to be applied during macOS signing/hardening.
.pipelines/templates/mac.yml Applies the entitlements to pwsh during the macOS build job via codesign.

Comment thread .pipelines/templates/mac.yml
Comment on lines +72 to +76
$entitlements = "$(PowerShellRoot)/assets/macos-entitlements.plist"
$pwshBin = "$(OB_OUTPUTDIRECTORY)/pwsh"
Write-Verbose -Verbose "Applying entitlements to $pwshBin"
codesign --sign - --force --options runtime --entitlements $entitlements $pwshBin
if ($LASTEXITCODE -ne 0) {
Comment thread .pipelines/templates/mac.yml
Comment on lines +72 to +79
$entitlements = "$(PowerShellRoot)/assets/macos-entitlements.plist"
$pwshBin = "$(OB_OUTPUTDIRECTORY)/pwsh"
Write-Verbose -Verbose "Applying entitlements to $pwshBin"
codesign --sign - --force --options runtime --entitlements $entitlements $pwshBin
if ($LASTEXITCODE -ne 0) {
throw "codesign failed with exit code $LASTEXITCODE"
}
Comment thread assets/macos-entitlements.plist
Comment on lines +8 to +12
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
@daxian-dbw daxian-dbw merged commit 4aab623 into PowerShell:release/v7.6.2 May 13, 2026
39 checks passed
@daxian-dbw daxian-dbw deleted the backport/release/v7.6.2/27347-b9bd8cbc5 branch May 13, 2026 21:56
@daxian-dbw
Copy link
Copy Markdown
Member Author

daxian-dbw commented May 13, 2026

Andy's two PRs below were "rebase merged", which is unexpected and caused all commits from those PRs to get into the master branch without squashing. The backport logic assumes squashing merge always, so it only picks up the last commit.

Therefore, a commit was missed for this backport PR. I manually backported the missing commits into #27439, even though it doesn't really belong there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@SeeminglyScience SeeminglyScience SeeminglyScience approved these changes

@jshigetomi jshigetomi Awaiting requested review from jshigetomi jshigetomi is a code owner

Assignees

No one assigned

Labels

CL-BuildPackaging Indicates that a PR should be marked as a build or packaging change in the Change Log

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@daxian-dbw @SeeminglyScience @andyleejordan