[release/v7.5.8] Verify Apple codesign immediately after ESRP signing by SeeminglyScience · Pull Request #27541 · PowerShell/PowerShell
Backport of #27486 to release/v7.5.8
Triggered by @SeeminglyScience on behalf of @andyleejordan
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
- Required tooling change
- Optional tooling change (include reasoning)
Adds codesign --verify --deep --strict verification immediately after ESRP signing in Sign_macOS_* pipeline jobs. This ensures silent ESRP no-ops are caught in the signing job itself rather than discovered later in packaging, preventing publication of bad signed artifacts.
Customer Impact
- Customer reported
- Found internally
Regression
REQUIRED: Check exactly one box.
- Yes
- No
This is not a regression.
Testing
Verified by next pipeline run. This is a pipeline YAML-only change adding a defensive verification step — no unit tests apply. The original change was validated during a release build where ESRP silently no-op'd; this check would have caught it at the sign stage.
Risk
REQUIRED: Check exactly one box.
- High
- Medium
- Low
Pipeline YAML only — no runtime code changes. The added step is read-only verification (codesign --verify) that fails fast rather than publishing a bad artifact. No customer-facing behavior is affected.