Scope NuGet package signing to specific packages#4058
Merged
samsharma2700 merged 2 commits intomainfrom Mar 20, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens ESRP malware scanning and NuGet signing in the OneBranch pipeline so each job signs only the package(s) it produces, avoiding redundant re-scanning/re-signing when other .nupkg/.snupkg files are present in the output directory.
Changes:
- Add configurable NuGet package glob parameters to ESRP signing templates (
nupkgPattern/pattern) with backward-compatible defaults. - Pass package-specific patterns from job templates to scope scanning/signing to the intended artifacts (SqlClient job + csproj-based package jobs).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| eng/pipelines/onebranch/steps/esrp-code-signing-step.yml | Adds nupkgPattern parameter and uses it for NuGet malware scan + signing. |
| eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml | Adds pattern parameter and uses it to scope scanning/signing under $(PACK_OUTPUT). |
| eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml | Passes a SqlClient-specific nupkg pattern into ESRP signing. |
| eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml | Passes a per-package nupkg pattern into the compound NuGet signing step. |
Contributor
Author
paulmedynski
approved these changes
Mar 19, 2026
priyankatiwari08
approved these changes
Mar 20, 2026
This was referenced Mar 31, 2026
mdaigle
pushed a commit
that referenced
this pull request
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes : #4029
The ESRP NuGet signing steps in the OneBranch pipeline use a broad
*.*nupkgglob pattern, meaning they scan and sign every.nupkg/.snupkgfile found in the output directory, not just the package built by the current job. If dependency packages from upstream stages are inadvertently present, they get re-scanned and re-signed unnecessarily.PR #3998 addressed the primary cause by isolating
PACK_OUTPUTto a dedicated output/ directory (separate from packages/where downloaded dependencies live). This PR adds a defense layer by scoping the ESRP glob patterns so each job only matches its own packages.Changes
esrp-code-signing-step.yml: Added nupkgPattern parameter (default *.*nupkg) used in the pkg signing pathcompound-esrp-nuget-signing-step.yml: Added pattern parameter (default *.*nupkg) for malware scanning and code signingbuild-signed-sqlclient-package-job.yml: Passes Microsoft.Data.SqlClient.[0-9]*nupkg, the [0-9] ensures versioned MDS packages match but Extension packages (starting with a letter after SqlClient) do not.build-signed-csproj-package-job.yml: Passes .*nupkg, scopes to the exact package being built (e.g., Microsoft.Data.SqlClient.Internal.Logging.*nupkg)