Scope DLL Signing in MDS OneBranch Job#4039
Merged
samsharma2700 merged 1 commit intomainfrom Mar 13, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates OneBranch ESRP DLL signing to be parameter-driven and tightens which SqlClient binaries are signed/copied for APIScan, aligning the SqlClient job behavior with the more explicit patterns used elsewhere in the OneBranch packaging jobs.
Changes:
- Added a
dllPatternparameter to the ESRP code-signing step template and wired it into the ESRP malware scan + code signing tasks. - Updated the SqlClient OneBranch job to sign
Microsoft.Data.SqlClient.dllandMicrosoft.Data.SqlClient.resources.dllexplicitly (and to scope signing to$(BUILD_OUTPUT)). - Narrowed APIScan file copy globs to only copy
Microsoft.Data.SqlClient.dll/.pdb(instead ofMicrosoft.Data.SqlClient*.dll/.pdb).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| eng/pipelines/onebranch/steps/esrp-code-signing-step.yml | Adds dllPattern parameter and uses it for ESRP scanning/signing when artifactType: dll. |
| eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml | Uses explicit DLL patterns for signing and narrows APIScan copy globs to the primary SqlClient assembly + PDB. |
paulmedynski
approved these changes
Mar 12, 2026
Contributor
|
Run the sqlclient-non-official pipeline on these changes and paste a link. |
paulmedynski
added
the
Area\Engineering
Contributor
Author
apoorvdeshmukh
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The MDS (
Microsoft.Data.SqlClient) code signing job in the OneBranch pipeline was inadvertently signing DLLs from theExtensions.AbstractionsandExtensions.Loggingpackages. This happened because:esrp-code-signing-step.ymlhardcoded the patternMicrosoft.Data.SqlClient*.dll, which matches Extensions DLLs (e.g.,Microsoft.Data.SqlClient.Extensions.Logging.dll)sourceRootdefaulted to$(REPO_ROOT), scanning the entire repo tree instead of just MDS build outputBuildAllConfigurations) depends onBuildLoggingandBuildAbstractions, so those DLLs exist in the artifact tree at signing timeIssues
Fixes #4023
Fix
esrp-code-signing-step.yml: Added adllPatternparameter (default: Microsoft.Data.SqlClient*.dll for backward compatibility) and replaced both hardcoded Pattern values with${{ parameters.dllPattern }}.build-signed-sqlclient-package-job.yml:Microsoft.Data.SqlClient.dllandMicrosoft.Data.SqlClient.resources.dll$(BUILD_OUTPUT)to avoid scanning the entire repoAPIScancopy patterns to exclude Extensions DLLs/PDBs