Fix *nix permissions and use certificate_logical_to_actual#27354
Merged
TravisEz13 merged 2 commits intoMay 1, 2026
Conversation
The tarball staging path used `Copy-Item`, which on *nix doesn't preserve the source file mode, so `pwsh` ended up 644 in the `.tar.gz`. The Debian, RPM, and macOS PKG paths explicitly `chmod` everything to 644 and then bump `pwsh` back to 755, which silently demoted `createdump` (the .NET helper that produces crash minidumps) along with it. Now we `chmod 755` both executables in all package staging paths, guarded by `Test-Path` since fxdependent builds don't bundle `createdump`. Also added regression tests which check the permissions of `pwsh` inside the Linux and macOS tarballs before we upload them. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
andyleejordan
force-pushed
the
andyleejordan/nix-permissions
branch
from
bb5baaa to
43668dc
Compare
andyleejordan
added
OS-macOS
OS-Linux
Compliance
Member
Author
|
*nix permissions in tarball are fixed: and |
… group The `CP-…` key codes used for ESRP signing are now set from ADO via the `certificate_logical_to_actual` variable group. The templates reference the following variables instead of literal codes: - `$(authenticode_cert_id)` - `$(authenticode_test_cert_id)` - `$(nuget_cert_id)` - `$(apple_cert_id)` - `$(pgp_linux_cert_id)` - `$(pgp_release_cert_id)` `nupkg.yml`, `mac-package-build.yml`, and `linux-package-build.yml` pick up the new group import. `linux-package-build.yml` also now selects the PGP signing profile based on whether `jobName` starts with `mariner`, so `PowerShell-Packages-Stages.yml` no longer threads a `signingProfile` parameter in for the two Mariner jobs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
andyleejordan
force-pushed
the
andyleejordan/nix-permissions
branch
from
43668dc to
6bffb1b
Compare
andyleejordan
changed the base branch from
master
to
andyleejordan/apple-notarization
12 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Updates packaging and pipeline signing to (1) restore executable permissions in *nix tarballs and (2) switch signing configuration to use logical certificate/profile variables sourced from the certificate_logical_to_actual variable group.
Changes:
- Ensure
pwsh(andcreatedump) have executable permissions when building tarball/Unix packages. - Add pipeline regression checks to validate
pwshis executable inside produced.tar.gzartifacts before uploading. - Replace hardcoded signing certificate/profile identifiers with variables from
certificate_logical_to_actualacross pipeline templates.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
tools/packaging/packaging.psm1 |
Restores executable permissions for pwsh and createdump in tarball and Unix package flows. |
.pipelines/templates/windows-hosted-build.yml |
Uses $(nuget_cert_id) instead of a hardcoded NuGet signing cert ID. |
.pipelines/templates/stages/PowerShell-Packages-Stages.yml |
Removes Mariner-specific signingProfile parameters (selection moved into the linux packaging template). |
.pipelines/templates/shouldSign.yml |
Switches Authenticode/MSIX cert selection to mapped variables. |
.pipelines/templates/nupkg.yml |
Adds certificate_logical_to_actual group and uses $(nuget_cert_id) for NuPkg signing. |
.pipelines/templates/mac.yml |
Uses $(apple_cert_id) for Apple signing KeyCode. |
.pipelines/templates/mac-package-build.yml |
Adds cert mapping group usage and validates pwsh executable bit in produced tarballs before upload; uses $(apple_cert_id) for signing/notarization. |
.pipelines/templates/linux-package-build.yml |
Adds cert mapping group usage, selects PGP signing profile based on Mariner vs non-Mariner jobs, and validates pwsh executable bit for tarballs. |
TravisEz13
approved these changes
May 1, 2026
TravisEz13
merged commit 5a0f767
into
andyleejordan/apple-notarization
50 of 55 checks passed
12 tasks
9 tasks
adityapatwardhan
added
Backport-7.4.x-Migrated
and removed
Backport-7.4.x-Migrated
labels
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Summary
Fixes #23968 (with regression tests) and finishes the certificate code abstraction.
PR Context
In the pipelines we for reasons have to zip up the macOS and Linux builds on Windows which strips the executable permissions. We already had logic in the package scripts to correctly restore those permissions before building the RPM, DEB, and PKG packages, but not before packaging the tarball. Per the bug, it's been sadly broken for two years. You'd download the tarball, try to run
./pwshand it wouldn't be executable. Now it is, with a regression test that checks the actual file in the tarball before we upload it.PR Checklist
.h,.cpp,.cs,.ps1and.psm1files have the correct copyright header