Skip to content

Conversation

oleksandr-didyk
Copy link
Contributor

Contributes to dotnet/arcade-services#4611

Updates the MacOS signing to use a PME identity in accordance with a corresponding TSG

dotnet-runtime-official build: https://dev.azure.com/dnceng/internal/_build/results?buildId=2702879&view=results
Example of the identity being used for publishing: https://dev.azure.com/dnceng/internal/_build/results?buildId=2702156&view=results

@oleksandr-didyk oleksandr-didyk self-assigned this May 6, 2025
@Copilot Copilot AI review requested due to automatic review settings May 6, 2025 17:18
@ghost ghost added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label May 6, 2025
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the MacOS code-signing pipeline configuration to use a PME identity in line with recent security requirements.

  • Updates service connection and authentication configuration
  • Switches from certificate-based authentication to MSI-based authentication
  • Replaces existing client and tenant identifiers with PME-specific values
Comments suppressed due to low confidence (2)

eng/pipelines/common/macos-sign-with-entitlements.yml:32

  • The removal of the 'AuthCertName' parameter appears to be a deliberate change for MSI-based authentication; please confirm that no parts of the pipeline depend on certificate-based authentication.
-      AuthCertName: 'DotNetCore-ESRP-AuthCert'

eng/pipelines/common/macos-sign-with-entitlements.yml:34

  • Ensure that switching to MSI authentication and updating related client IDs align with the PME requirements and that all dependent processes are adjusted accordingly.
+      UseMSIAuthentication: true

@oleksandr-didyk oleksandr-didyk requested a review from hoyosjs May 6, 2025 17:18
@hoyosjs
Copy link
Member

hoyosjs commented May 6, 2025

/ba-g continued OOMs from crypto tests - unrelated to PME portion that doesn't get exercised in CI.

@hoyosjs hoyosjs merged commit 26c9fb8 into dotnet:main May 6, 2025
142 of 150 checks passed
@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/8.0-staging

Copy link
Contributor

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/15057412876

@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/8.0

@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/9.0

Copy link
Contributor

Started backporting to release/8.0: https://github.com/dotnet/runtime/actions/runs/15057416852

Copy link
Contributor

Started backporting to release/9.0: https://github.com/dotnet/runtime/actions/runs/15057417574

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants