Skip to content

Fix release build codesign failure by scoping targetGlob to binaries#40324

Merged
benhillis merged 1 commit intomasterfrom
fix/codesign-targetglob
Apr 27, 2026
Merged

Fix release build codesign failure by scoping targetGlob to binaries#40324
benhillis merged 1 commit intomasterfrom
fix/codesign-targetglob

Conversation

@benhillis
Copy link
Copy Markdown
Member

@benhillis benhillis commented Apr 25, 2026

Problem

The release build (145356685) failed in the
uget\ stage at Guardian: Post Analysis with 14 \CodeSign.MissingSigningCert\ errors on unsigned PowerShell scripts.

The OneBranch \Microsoft.Official.yml\ template's Guardian codesign validation defaults to scanning .ps1, .psm1, .vbs, .js, and other script types. Since our tool/test/diagnostics scripts aren't code-signed, this breaks the build.

Fix

Add \globalSdl.codesign.targetGlob\ to restrict codesign validation to only signed binary and package extensions:

  • .dll, .exe, .sys, .msi, .msix, .msixbundle, .appx, .nupkg\

This excludes script files from codesign validation while keeping enforcement for all shipped binaries and packages.

Validation

  • If \ argetGlob\ is not honored by the template, fallback is adding the 14 .ps1\ signatures to .gdnsuppress.

Fix release build codesign failure by scoping targetGlob to binaries
0e1e7b1 
The OneBranch Official template's Guardian codesign validation defaults
to scanning .ps1/.psm1/.vbs/.js scripts, which causes 14
CodeSign.MissingSigningCert errors on unsigned tool/test scripts.

Restrict codesign.targetGlob to only signed binary and package
extensions (.dll, .exe, .sys, .msi, .msix, .msixbundle, .appx, .nupkg).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 25, 2026 20:50
@benhillis benhillis requested a review from a team as a code owner April 25, 2026 20:50
Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the OneBranch release pipeline configuration to prevent Guardian CodeSign validation from scanning unsigned scripts (e.g., .ps1) and failing the release build, while still enforcing signing checks for shipped binaries/packages.

Changes:

  • Configure globalSdl.codesign.targetGlob to scope CodeSign validation to binary/package extensions only.
  • Explicitly set CodeSign enforcement to enabled and breaking (enabled: true, break: true) for the release pipeline.

OneBlue
OneBlue approved these changes Apr 27, 2026
View reviewed changes
Comment thread .pipelines/wsl-build-release-onebranch.yml
codesign:
enabled: true
break: true
targetGlob: '**\*.dll;**\*.exe;**\*.sys;**\*.msi;**\*.msix;**\*.msixbundle;**\*.appx;**\*.nupkg'
Copy link
Copy Markdown
Collaborator

@OneBlue OneBlue Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I'd remove .sys, since we don't sign drivers

Copy link
Copy Markdown
Member Author

@benhillis benhillis Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fair, but I don't think it's harmful either. This is straight from some 1ES docs.

@benhillis benhillis merged commit 45622c6 into master Apr 27, 2026
13 checks passed
@benhillis benhillis deleted the fix/codesign-targetglob branch April 27, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@OneBlue OneBlue OneBlue approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benhillis @OneBlue