Merged PR 6247: FIX: Build Pipeline - Use OneBranch Signing

bewithgaurav · bewithgaurav · commit 7005bb59ad48 · 2025-10-09T11:04:00.000Z
#### AI description  (iteration 1)
#### PR Classification
This PR fixes the build pipeline configuration by updating the code signing steps to sign only wheel files for official builds.

#### PR Summary
The changes update the build pipeline YAML files for Windows, Linux, and macOS to remove unnecessary binary signing steps and enforce signing of only wheel files. This streamlines the code signing process by:
- Modifying `build-windows-single-stage.yml` to remove DLL-specific signing parameters.
- Adjusting `build-linux-single-stage.yml` to omit non-wheel artifact signing and note that ELF files cannot be signed with Windows SignTool.
- Updating `build-macos-single-stage.yml` to remove Mach-O/dylib signing, noting the correctness for PyPI wheel distribution.
&lt;!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot --&gt;

Related work items: #38066
diff --git a/OneBranchPipelines/stages/build-linux-single-stage.yml b/OneBranchPipelines/stages/build-linux-single-stage.yml
@@ -191,32 +191,42 @@ stages:
               artifact: 'drop_${{ parameters.stageName }}_${{ parameters.jobName }}'
               publishLocation: 'pipeline'
           
-          # Malware scanning
+          # General malware scanning (Component Governance + OneBranch AntiMalware)
           - template: ../steps/malware-scanning-step.yml@self
             parameters:
               scanPath: '$(ob_outputDirectory)'
               artifactType: 'dll'
           
-          # ESRP Code Signing (Official builds only)
+          # ESRP Malware scanning (Official builds only)
           - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'dll'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)/bindings'
-              
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'whl'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)/wheels'
+              - task: EsrpMalwareScanning@5
+                displayName: 'ESRP MalwareScanning - Python Wheels'
+                inputs:
+                  ConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
+                  AppRegistrationClientId: '$(SigningAppRegistrationClientId)'
+                  AppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
+                  EsrpClientId: '$(SigningEsrpClientId)'
+                  UseMSIAuthentication: true
+                  FolderPath: '$(ob_outputDirectory)/wheels'
+                  Pattern: '*.whl'
+                  CleanupTempStorage: 1
+                  VerboseLogin: 1
+          
+          # OneBranch Code Signing (Official builds only)
+          # Note: We only sign wheels on all platforms (Windows, macOS, Linux). The wheel signature cryptographically
+          # verifies the entire archive contents, making individual binary signing unnecessary. Additionally,
+          # Linux .so files use ELF format which cannot be signed with Windows SignTool.
+          #
+          # References:
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning#signing-using-onebranchpipelinesigning-ado-task
+          #   (specifies not to use raw ESRP task for common certificates)
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning/availablesigningcpcodesandoperations
+          #   (key code usage - .whl files not explicitly listed, treated as binary archives)
+          - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
+              - task: onebranch.pipeline.signing@1
+                displayName: 'Sign Python Wheels'
+                inputs:
+                  command: 'sign'
+                  signing_profile: 'external_distribution'
+                  files_to_sign: '**/*.whl'
+                  search_root: '$(ob_outputDirectory)/wheels'
diff --git a/OneBranchPipelines/stages/build-macos-single-stage.yml b/OneBranchPipelines/stages/build-macos-single-stage.yml
@@ -133,32 +133,42 @@ stages:
               artifact: 'drop_${{ parameters.stageName }}_${{ parameters.jobName }}'
               publishLocation: 'pipeline'
           
-          # Malware scanning
+          # General malware scanning (Component Governance + OneBranch AntiMalware)
           - template: ../steps/malware-scanning-step.yml@self
             parameters:
               scanPath: '$(ob_outputDirectory)'
               artifactType: 'dll'
           
-          # ESRP Code Signing (Official builds only)
+          # ESRP Malware scanning (Official builds only)
           - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'dll'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)/bindings/macOS'
-              
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'whl'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)/wheels'
+              - task: EsrpMalwareScanning@5
+                displayName: 'ESRP MalwareScanning - Python Wheels'
+                inputs:
+                  ConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
+                  AppRegistrationClientId: '$(SigningAppRegistrationClientId)'
+                  AppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
+                  EsrpClientId: '$(SigningEsrpClientId)'
+                  UseMSIAuthentication: true
+                  FolderPath: '$(ob_outputDirectory)/wheels'
+                  Pattern: '*.whl'
+                  CleanupTempStorage: 1
+                  VerboseLogin: 1
+          
+          # OneBranch Code Signing (Official builds only)
+          # Note: We only sign wheels on all platforms (Windows, macOS, Linux). The wheel signature cryptographically
+          # verifies the entire archive contents, making individual binary signing unnecessary. Additionally,
+          # macOS .so/.dylib files use Mach-O format which cannot be signed with Windows SignTool.
+          #
+          # References:
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning#signing-using-onebranchpipelinesigning-ado-task
+          #   (specifies not to use raw ESRP task for common certificates)
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning/availablesigningcpcodesandoperations
+          #   (key code usage - .whl files not explicitly listed, treated as binary archives)
+          - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
+              - task: onebranch.pipeline.signing@1
+                displayName: 'Sign Python Wheels'
+                inputs:
+                  command: 'sign'
+                  signing_profile: 'external_distribution'
+                  files_to_sign: '**/*.whl'
+                  search_root: '$(ob_outputDirectory)/wheels'
diff --git a/OneBranchPipelines/stages/build-windows-single-stage.yml b/OneBranchPipelines/stages/build-windows-single-stage.yml
@@ -178,35 +178,45 @@ stages:
               artifact: 'drop_${{ parameters.stageName }}_${{ parameters.jobName }}'
               publishLocation: 'pipeline'
           
-          # Malware scanning
+          # General malware scanning (Component Governance + OneBranch AntiMalware)
           - template: /OneBranchPipelines/steps/malware-scanning-step.yml@self
             parameters:
               scanPath: '$(ob_outputDirectory)'
               artifactType: 'dll'
           
-          # ESRP Code Signing for DLLs (only for Official builds)
+          # ESRP Malware scanning (Official builds only)
           - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'dll'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)\bindings\windows'
-              
-              - template: /OneBranchPipelines/steps/compound-esrp-code-signing-step.yml@self
-                parameters:
-                  appRegistrationClientId: '$(SigningAppRegistrationClientId)'
-                  appRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
-                  artifactType: 'whl'
-                  authAkvName: '$(SigningAuthAkvName)'
-                  authSignCertName: '$(SigningAuthSignCertName)'
-                  esrpClientId: '$(SigningEsrpClientId)'
-                  esrpConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
-                  signPath: '$(ob_outputDirectory)\wheels'
+              - task: EsrpMalwareScanning@5
+                displayName: 'ESRP MalwareScanning - Python Wheels'
+                inputs:
+                  ConnectedServiceName: '$(SigningEsrpConnectedServiceName)'
+                  AppRegistrationClientId: '$(SigningAppRegistrationClientId)'
+                  AppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
+                  EsrpClientId: '$(SigningEsrpClientId)'
+                  UseMSIAuthentication: true
+                  FolderPath: '$(ob_outputDirectory)/wheels'
+                  Pattern: '*.whl'
+                  CleanupTempStorage: 1
+                  VerboseLogin: 1
+          
+          # OneBranch Code Signing (Official builds only)
+          # Note: We only sign wheels on all platforms (Windows, macOS, Linux). The wheel signature cryptographically
+          # verifies the entire archive contents, making individual binary signing unnecessary. This approach is
+          # correct for PyPI distribution where only wheel signatures are validated.
+          #
+          # References:
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning#signing-using-onebranchpipelinesigning-ado-task
+          #   (specifies not to use raw ESRP task for common certificates)
+          # - https://eng.ms/docs/products/onebranch/signing/containerbuildsigning/availablesigningcpcodesandoperations
+          #   (key code usage - .whl files not explicitly listed, treated as binary archives)
+          - ${{ if and(eq(parameters.signingEnabled, true), eq(parameters.oneBranchType, 'Official')) }}:
+              - task: onebranch.pipeline.signing@1
+                displayName: 'Sign Python Wheels'
+                inputs:
+                  command: 'sign'
+                  signing_profile: 'external_distribution'
+                  files_to_sign: '**/*.whl'
+                  search_root: '$(ob_outputDirectory)/wheels'
           
           # Publish symbols (Windows only)
           - ${{ if eq(parameters.oneBranchType, 'Official') }}:
