From 0f8b37fbe6583ee923dedced4da3c2652b72f454 Mon Sep 17 00:00:00 2001 From: Saransh Sharma Date: Tue, 17 Mar 2026 15:12:59 -0700 Subject: [PATCH 1/2] Scope NuGet package signing to specific packages --- .../onebranch/jobs/build-signed-csproj-package-job.yml | 1 + .../jobs/build-signed-sqlclient-package-job.yml | 1 + .../onebranch/steps/compound-esrp-nuget-signing-step.yml | 9 +++++++-- eng/pipelines/onebranch/steps/esrp-code-signing-step.yml | 8 ++++++-- 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml b/eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml index 809690a886..01d9b61da1 100644 --- a/eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml +++ b/eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml @@ -191,6 +191,7 @@ jobs: authSignCertName: ${{ parameters.authSignCertName }} esrpClientId: ${{ parameters.esrpClientId }} esrpConnectedServiceName: ${{ parameters.esrpConnectedServiceName }} + pattern: '${{ parameters.packageFullName }}.*nupkg' # Publish symbols to servers - ${{ if eq(parameters.publishSymbols, true) }}: diff --git a/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml b/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml index a422a5351c..7157c0f795 100644 --- a/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml +++ b/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml @@ -108,6 +108,7 @@ jobs: - template: /eng/pipelines/onebranch/steps/esrp-code-signing-step.yml@self parameters: artifactType: pkg + nupkgPattern: 'Microsoft.Data.SqlClient.[0-9]*nupkg' # Copy signed DLLs and PDBs to APIScan folders. - task: CopyFiles@2 diff --git a/eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml b/eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml index 34e903465f..e86964cf3d 100644 --- a/eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml +++ b/eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml @@ -30,6 +30,11 @@ parameters: - name: esrpClientId type: string + # Glob pattern to match NuGet packages for scanning and signing. + - name: pattern + type: string + default: '*.*nupkg' + steps: # See: https://aka.ms/esrp.scantask - task: EsrpMalwareScanning@6 @@ -41,7 +46,7 @@ steps: ConnectedServiceName: '${{ parameters.esrpConnectedServiceName }}' EsrpClientId: '${{ parameters.esrpClientId }}' FolderPath: '$(PACK_OUTPUT)' - Pattern: '*.*nupkg' + Pattern: '${{ parameters.pattern }}' UseMSIAuthentication: true VerboseLogin: 1 @@ -56,7 +61,7 @@ steps: AuthAKVName: '${{ parameters.authAkvName }}' AuthSignCertName: '${{ parameters.authSignCertName }}' FolderPath: '$(PACK_OUTPUT)' - Pattern: '*.*nupkg' + Pattern: '${{ parameters.pattern }}' signConfigType: 'inlineSignParams' UseMSIAuthentication: true inlineOperation: | diff --git a/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml b/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml index 59322d67aa..d34d60b67a 100644 --- a/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml +++ b/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml @@ -17,6 +17,10 @@ parameters: type: string default: 'Microsoft.Data.SqlClient*.dll' + - name: nupkgPattern + type: string + default: '*.*nupkg' + - name: artifactDirectory type: string default: $(PACK_OUTPUT) @@ -125,7 +129,7 @@ steps: EsrpClientId: '${{parameters.EsrpClientId }}' UseMSIAuthentication: true FolderPath: '${{parameters.artifactDirectory }}' - Pattern: '*.*nupkg' + Pattern: '${{ parameters.nupkgPattern }}' CleanupTempStorage: 1 VerboseLogin: 1 @@ -142,7 +146,7 @@ steps: AuthAKVName: '${{parameters.AuthAKVName }}' AuthSignCertName: '${{parameters.AuthSignCertName }}' FolderPath: '${{parameters.artifactDirectory }}' - Pattern: '*.*nupkg' + Pattern: '${{ parameters.nupkgPattern }}' signConfigType: inlineSignParams inlineOperation: | [ From abd27e897dc802baa66576956c39324d56b46723 Mon Sep 17 00:00:00 2001 From: Saransh Sharma Date: Tue, 17 Mar 2026 15:44:19 -0700 Subject: [PATCH 2/2] Use mdsPackageVersion --- .../onebranch/jobs/build-signed-sqlclient-package-job.yml | 2 +- eng/pipelines/onebranch/steps/esrp-code-signing-step.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml b/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml index 7157c0f795..98f5c811aa 100644 --- a/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml +++ b/eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml @@ -108,7 +108,7 @@ jobs: - template: /eng/pipelines/onebranch/steps/esrp-code-signing-step.yml@self parameters: artifactType: pkg - nupkgPattern: 'Microsoft.Data.SqlClient.[0-9]*nupkg' + nupkgPattern: 'Microsoft.Data.SqlClient.$(mdsPackageVersion).*nupkg' # Copy signed DLLs and PDBs to APIScan folders. - task: CopyFiles@2 diff --git a/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml b/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml index d34d60b67a..83053a8d29 100644 --- a/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml +++ b/eng/pipelines/onebranch/steps/esrp-code-signing-step.yml @@ -137,7 +137,6 @@ steps: - task: EsrpCodeSigning@6 displayName: 'ESRP CodeSigning Nuget Package' inputs: - inputs: ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'