Skip to content

[release/9.0] Move DAC signing identity to PME #114031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 1, 2025
Merged

[release/9.0] Move DAC signing identity to PME #114031

merged 1 commit into from
Apr 1, 2025

Conversation

@hoyosjs
Copy link
Member

@hoyosjs hoyosjs commented Mar 29, 2025
edited
Loading

Required for SFI requirement of ESRP isolation to production tenants.

@hoyosjs hoyosjs requested review from a team and Copilot March 29, 2025 03:44
@ghost ghost added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Mar 29, 2025
Copilot AI reviewed Mar 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the signing identity for diagnostic binaries to use the new PME configuration.

  • Updated connected service and authentication IDs to the PME values.
  • Revised certificate and tenant information accordingly.
Comments suppressed due to low confidence (2)

eng/pipelines/coreclr/templates/sign-diagnostic-files.yml:18

  • Verify that the new connected service name 'diagnostics-esrp-kvcertuser-pme' is correctly set up in your environment to ensure proper connectivity.
ConnectedServiceName: 'diagnostics-esrp-kvcertuser-pme'

eng/pipelines/coreclr/templates/sign-diagnostic-files.yml:23

  • Confirm that the updated AuthSignCertName 'dac-dnceng-esrpclient-cert' matches the PME certificate configuration and that the corresponding certificate is available.
AuthSignCertName: 'dac-dnceng-esrpclient-cert'

@hoyosjs
Copy link
Member Author

hoyosjs commented Mar 29, 2025

/backport to release/8.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented Mar 29, 2025

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/14141875850

@github-actions github-actions bot mentioned this pull request Mar 29, 2025
Merged
jeffschwMSFT
jeffschwMSFT reviewed Mar 29, 2025
View reviewed changes
Copy link
Member

@jeffschwMSFT jeffschwMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

approved. please get a code review. we can treat this as tell mode

cc @carlossanlop

@teo-tsirpanis teo-tsirpanis added this to the 9.0.x milestone Mar 29, 2025
@teo-tsirpanis teo-tsirpanis added area-Infrastructure-coreclr and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Mar 29, 2025
@hoyosjs hoyosjs added the Servicing-approved Approved for servicing release label Apr 1, 2025
@hoyosjs hoyosjs merged commit dcd6c39 into dotnet:release/9.0-staging Apr 1, 2025
90 of 94 checks passed
@hoyosjs hoyosjs deleted the juhoyosa/dac-pme-9 branch April 1, 2025 20:28
@github-actions github-actions bot locked and limited conversation to collaborators May 2, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeffschwMSFT jeffschwMSFT jeffschwMSFT left review comments

Copilot code review Copilot Copilot left review comments

@jkoritzinsky jkoritzinsky jkoritzinsky approved these changes

@tommcdon tommcdon tommcdon approved these changes

Assignees

@hoyosjs hoyosjs

Labels

area-Infrastructure-coreclr Servicing-approved Approved for servicing release

Projects

Runtime Infra
Status: Done

Milestone

9.0.x

Development

Successfully merging this pull request may close these issues.

5 participants

@hoyosjs @jkoritzinsky @jeffschwMSFT @tommcdon @teo-tsirpanis