[7.0] Scope NuGet package signing to specific packages#4111
Merged
mdaigle merged 1 commit intorelease/7.0from Apr 2, 2026
Merged
[7.0] Scope NuGet package signing to specific packages#4111mdaigle merged 1 commit intorelease/7.0from
mdaigle merged 1 commit intorelease/7.0from
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens ESRP NuGet malware scanning/signing in the OneBranch pipelines so each job only matches and signs the package(s) it produced, avoiding re-scanning/re-signing dependency packages that may be present in the output directory.
Changes:
- Add configurable NuGet glob parameters to ESRP signing step templates (defaulting to the prior
*.*nupkgbehavior). - Scope Microsoft.Data.SqlClient package signing to the job’s own versioned packages.
- Scope csproj-based package signing (Logging/Abstractions/Azure/etc.) to the job’s exact package name.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| eng/pipelines/onebranch/steps/esrp-code-signing-step.yml | Adds nupkgPattern parameter and uses it for ESRP NuGet scan/sign inputs. |
| eng/pipelines/onebranch/steps/compound-esrp-nuget-signing-step.yml | Adds pattern parameter to scope malware scanning and signing of NuGet packages. |
| eng/pipelines/onebranch/jobs/build-signed-sqlclient-package-job.yml | Passes a version-scoped pattern for Microsoft.Data.SqlClient packages to the ESRP pkg signing step. |
| eng/pipelines/onebranch/jobs/build-signed-csproj-package-job.yml | Passes a package-name-scoped pattern for NuGet signing of csproj-based packages. |
benrr101
approved these changes
Mar 31, 2026
benrr101
approved these changes
Mar 31, 2026
mdaigle
approved these changes
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #4058 to release/7.0
Original PR Description
Description
Fixes : #4029
The ESRP NuGet signing steps in the OneBranch pipeline use a broad
*.*nupkgglob pattern, meaning they scan and sign every.nupkg/.snupkgfile found in the output directory, not just the package built by the current job. If dependency packages from upstream stages are inadvertently present, they get re-scanned and re-signed unnecessarily.PR #3998 addressed the primary cause by isolating
PACK_OUTPUTto a dedicated output/ directory (separate from packages/where downloaded dependencies live). This PR adds a defense layer by scoping the ESRP glob patterns so each job only matches its own packages.Changes
esrp-code-signing-step.yml: Added nupkgPattern parameter (default *.*nupkg) used in the pkg signing pathcompound-esrp-nuget-signing-step.yml: Added pattern parameter (default *.*nupkg) for malware scanning and code signingbuild-signed-sqlclient-package-job.yml: Passes Microsoft.Data.SqlClient.[0-9]*nupkg, the [0-9] ensures versioned MDS packages match but Extension packages (starting with a letter after SqlClient) do not.build-signed-csproj-package-job.yml: Passes .*nupkg, scopes to the exact package being built (e.g., Microsoft.Data.SqlClient.Internal.Logging.*nupkg)