Skip to content

Add signing pipeline implementation#1991

Merged
lbussell merged 20 commits intodotnet:mainfrom
lbussell:signing-pipelines
Mar 3, 2026
Merged

Add signing pipeline implementation#1991
lbussell merged 20 commits intodotnet:mainfrom
lbussell:signing-pipelines

Conversation

@lbussell
Copy link
Member

@lbussell lbussell commented Mar 2, 2026

Fixes #1376

lbussell and others added 9 commits February 27, 2026 11:47
@lbussell
Add signing pipeline templates and MicroBuild integration
69d6b33 
Add Azure Pipelines templates for container image signing:

- sign-images.yml job template for signing and verification steps
- install-microbuild.yml step template for MicroBuild signing plugin setup
- Sign stage in build-and-test.yml with conditional execution
- Signing configuration in publish-config-nonprod.yml and publish-config-prod.yml
- MicroBuild environment variable forwarding in init-imagebuilder.yml
- Signing variables (TeamName, MicroBuildFeedSource, plugin version)
- enableSigning parameter and bootstrapImageBuilder support
- appsettings.json generation for signing configuration

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Gate publish on signing success
4e94484 
Require a successful Sign stage result before Publish when signing is enabled. This preserves existing publish behavior when signing is disabled.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Remove MicroBuild preview install path
ec8c32a 
Drop preview plugin branching and always use MicroBuildSigningPlugin@4. Remove the now-unused preview argument from the sign-images template call.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Use live MicroBuild feed and version
4346ded 
Switch MicroBuild variables to the live feed and live plugin channel now that official support is available.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Remove signing environment debug logging
c326e7e 
Delete the broad signing environment variable dump from the sign-images job to avoid noisy and unnecessary logging.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lbussell
Remove commented out test feeds
88c8687
@lbussell
Remove windows conditions for installing Microbuild
95027bf
@lbussell
Clean up formatting for signing environment variables
88a809e
@lbussell
Go all-in on using host artifacts path/identity mount in ImageBuilder…
a1b8ca0 
… container
@lbussell lbussell marked this pull request as ready for review March 2, 2026 19:02
@lbussell lbussell requested a review from a team as a code owner March 2, 2026 19:02
@lbussell lbussell requested a review from mthalman March 2, 2026 20:59
mthalman
mthalman reviewed Mar 2, 2026
View reviewed changes
@lbussell lbussell requested a review from mthalman March 3, 2026 02:52
@lbussell lbussell requested a review from ellahathaway March 3, 2026 15:50
@lbussell
Copy link
Member Author

lbussell commented Mar 3, 2026

Validated internally: build#2917345

@lbussell lbussell merged commit 79a2049 into dotnet:main Mar 3, 2026
20 checks passed
@lbussell lbussell deleted the signing-pipelines branch March 3, 2026 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mthalman mthalman mthalman approved these changes

@ellahathaway ellahathaway Awaiting requested review from ellahathaway

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable Image Signing

2 participants

@lbussell @mthalman