Merged
Conversation
dmitrivMS
added
vscode-build
📬 CODENOTIFYThe following users are being notified based on files changed in this PR: @lszomoruMatched files:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds code signing for macOS server binaries during the build process to address missing Codesign signatures for several binaries in the macOS server SKU. The changes implement a recursive signing solution that scans and signs all Mach-O binaries in the server directories before packaging.
Changes:
- Added a new
sign-server.tsscript that recursively finds and signs all Mach-O binaries in server directories - Modified the Azure pipeline to sign server binaries before packaging (previously they were packaged unsigned)
- Updated the ESRP codesigning flow to include server and web archives alongside client archives
- Removed
-unsignedsuffix from server artifact names since binaries are now signed before packaging
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| build/darwin/sign-server.ts | New script that detects Mach-O binaries via magic numbers and signs them with proper entitlements |
| build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml | Moved server packaging after signing step, added new signing step, added BUILD_SOURCESDIRECTORY env var |
| build/azure-pipelines/darwin/server-entitlements.plist | New entitlements file for server binaries with JIT permission |
| build/azure-pipelines/darwin/product-build-darwin.yml | Removed -unsigned suffix from server artifact names |
| build/azure-pipelines/darwin/codesign.ts | Extended to codesign and notarize server and web archives in parallel with client archives |
Comments suppressed due to low confidence (1)
build/darwin/sign-server.ts:55
- The entitlements file path is constructed but never validated before use. Consider adding a check to ensure the file exists before attempting to sign binaries with it, similar to how the serverDir existence is validated. This would provide clearer error messages if the file is missing.
const entitlementsPath = path.join(baseDir, 'azure-pipelines', 'darwin', 'server-entitlements.plist');
Contributor
Author
joaomoreno
approved these changes
Feb 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sign macOS server binaries during build.
Fixes #287005