Skip to content

Update MacOS signing to use PME#115342

Merged
hoyosjs merged 1 commit intodotnet:mainfrom
oleksandr-didyk:dev/update-macos-signing-pme
May 6, 2025
Merged

Update MacOS signing to use PME#115342
hoyosjs merged 1 commit intodotnet:mainfrom
oleksandr-didyk:dev/update-macos-signing-pme

Conversation

@oleksandr-didyk
Copy link
Contributor

@oleksandr-didyk oleksandr-didyk commented May 6, 2025

@oleksandr-didyk oleksandr-didyk self-assigned this May 6, 2025
Copilot AI review requested due to automatic review settings May 6, 2025 17:18
@ghost ghost added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label May 6, 2025
Copilot AI reviewed May 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the MacOS code-signing pipeline configuration to use a PME identity in line with recent security requirements.

  • Updates service connection and authentication configuration
  • Switches from certificate-based authentication to MSI-based authentication
  • Replaces existing client and tenant identifiers with PME-specific values
Comments suppressed due to low confidence (2)

eng/pipelines/common/macos-sign-with-entitlements.yml:32

  • The removal of the 'AuthCertName' parameter appears to be a deliberate change for MSI-based authentication; please confirm that no parts of the pipeline depend on certificate-based authentication.
-      AuthCertName: 'DotNetCore-ESRP-AuthCert'

eng/pipelines/common/macos-sign-with-entitlements.yml:34

  • Ensure that switching to MSI authentication and updating related client IDs align with the PME requirements and that all dependent processes are adjusted accordingly.
+      UseMSIAuthentication: true

@oleksandr-didyk oleksandr-didyk requested a review from hoyosjs May 6, 2025 17:18
This was referenced May 6, 2025
Open
Open
@hoyosjs
Copy link
Member

hoyosjs commented May 6, 2025

/ba-g continued OOMs from crypto tests - unrelated to PME portion that doesn't get exercised in CI.

@hoyosjs hoyosjs merged commit 26c9fb8 into dotnet:main May 6, 2025
142 of 150 checks passed
@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/8.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented May 15, 2025

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/15057412876

@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/8.0

@hoyosjs
Copy link
Member

hoyosjs commented May 15, 2025

/backport to release/9.0

@github-actions
Copy link
Contributor

github-actions bot commented May 15, 2025

Started backporting to release/8.0: https://github.com/dotnet/runtime/actions/runs/15057416852

@github-actions
Copy link
Contributor

github-actions bot commented May 15, 2025

Started backporting to release/9.0: https://github.com/dotnet/runtime/actions/runs/15057417574

This was referenced May 15, 2025
Closed
Merged
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Jun 15, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@hoyosjs hoyosjs hoyosjs approved these changes

Assignees

@oleksandr-didyk oleksandr-didyk

Labels

needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oleksandr-didyk @hoyosjs