PowerShell · TravisEz13 · Dec 3, 2020 · Dec 2, 2020 · Dec 2, 2020 · Dec 2, 2020
diff --git a/EsrpSign.yml b/EsrpSign.yml
@@ -54,6 +54,13 @@ steps:
       pattern: ${{ parameters.pattern }}
       certificateId: ${{ parameters.certificateId }}
 
+- ${{ if eq(parameters.certificateId, 'CP-401337-Apple') }}:
+  - template: template-compliance/macOS-sign.yml
+    parameters:
+      signOutputPath: ${{ parameters.signOutputPath }}
+      pattern: ${{ parameters.pattern }}
+      certificateId: ${{ parameters.certificateId }}
+
 - pwsh: |
     Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'"
   displayName: Log Json

diff --git a/README.md b/README.md
@@ -142,6 +142,22 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch.
         useMinimatch: true
 ```
 
+### ESRP macOS example
+
+This example signs `pkg` files recursively, using minimatch.
+
+```yaml
+  - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        buildOutputPath: $(signSrcPath)
+        signOutputPath: $(signOutPath)
+        # this is the cert for macOS signing
+        certificateId: "CP-401337-Apple"
+        # this is the pattern for pkg signing
+        pattern: |
+            **\*.pkg
+        useMinimatch: true
+```
 ## ESRP Malware Scanning Template Overview
 
 ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel **

diff --git a/template-compliance/macOS-sign.yml b/template-compliance/macOS-sign.yml
@@ -0,0 +1,35 @@
+parameters:
+  - name: "signOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\signed"
+  - name: "pattern"
+    default: "*.pkg"
+  - name: "certificateId"
+    default: "CP-401337-Apple"
+
+steps:
+
+- pwsh: |
+    [string] $CertificateId = "${{ parameters.certificateId }}"
+    Write-Verbose "CertificateId - $CertificateId" -Verbose
+
+    [string] $VariableName = "EsrpJson"
+
+    [string] $SigningServer = '$(SigningServer)'
+    Write-Verbose "SigningServer - $SigningServer" -Verbose
+
+    [hashtable[]] $esrp = @(@{
+    keyCode = $CertificateId
+    operationSetCode = "MacAppDeveloperSign"
+    toolName = "sign"
+    toolVersion = "1.0"
+    })
+
+    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+
+    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+  displayName: Generate PGP signing JSON
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))