From f69de2b5dc501c83116608a7b57a98bb4f05638f Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Thu, 29 Jan 2026 14:24:07 +0530 Subject: [PATCH 01/19] made some changes in build yaml to publish artifcats in pipeline --- .azuredevops/BuildAndTest.yml | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/.azuredevops/BuildAndTest.yml b/.azuredevops/BuildAndTest.yml index 8d70848..2196d86 100644 --- a/.azuredevops/BuildAndTest.yml +++ b/.azuredevops/BuildAndTest.yml @@ -6,14 +6,17 @@ parameters: name: Azure-Pipelines-1ESPT-ExDShared image: windows-latest os: windows + runtime: win-x64 - pool: name: Azure-Pipelines-1ESPT-ExDShared image: ubuntu-latest os: linux + runtime: linux-x64 - pool: name: Azure Pipelines image: macOS-latest os: macOS + runtime: osx-x64 stages: - stage: build @@ -22,16 +25,27 @@ stages: - ${{ each config in parameters.buildConfigs }}: - job: build_${{ config.pool.os }} displayName: Building and Testing on ${{ config.pool.os }} + - job: build_${{ replace(config.runtime, '-', '_') }} + displayName: Building and Testing on ${{ config.runtime }} pool: name: ${{ config.pool.name }} image: ${{ config.pool.image }} os: ${{ config.pool.os }} + templateContext: + outputs: + - output: pipelineArtifact + targetPath: dist/${{ config.runtime }} + artifactName: azureauth-${{ config.runtime }} steps: - checkout: self - task: UseDotNet@2 displayName: Use .NET Core sdk 8.x inputs: version: 8.x + - task: NuGetToolInstaller@0 + displayName: Use NuGet 6.x + inputs: + versionSpec: 6.x - task: DotNetCoreCLI@2 displayName: Install dependencies inputs: @@ -39,15 +53,22 @@ stages: feedsToUse: select vstsFeed: Office includeNuGetOrg: false + arguments: --runtime ${{ config.runtime }} # 1ES PT requires explicit build task for Roslyn analysis. Auto-injected Roslyn task will use build logs from this build. - task: DotNetCoreCLI@2 displayName: Build projects - inputs: - command: 'build' - arguments: --no-restore - projects: '**/*.csproj' - - task: DotNetCoreCLI@2 +@@ -50,4 +63,13 @@ stages: displayName: Test inputs: command: test - arguments: --no-restore --no-build --verbosity normal \ No newline at end of file + arguments: --no-restore --no-build --verbosity normal + arguments: --no-restore --no-build --verbosity normal + - task: DotNetCoreCLI@2 + displayName: Publish artifacts + inputs: + command: publish + projects: src/AzureAuth/AzureAuth.csproj + arguments: --configuration release --self-contained true --runtime ${{ config.runtime }} --output dist/${{ config.runtime }} + publishWebProjects: false + zipAfterPublish: false + modifyOutputPath: true From 79775ed6e309a033efb943d835a809be9ce7c1ad Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Thu, 29 Jan 2026 14:35:02 +0530 Subject: [PATCH 02/19] resolved issue --- .azuredevops/BuildAndTest.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/BuildAndTest.yml b/.azuredevops/BuildAndTest.yml index 2196d86..5bece42 100644 --- a/.azuredevops/BuildAndTest.yml +++ b/.azuredevops/BuildAndTest.yml @@ -57,7 +57,6 @@ stages: # 1ES PT requires explicit build task for Roslyn analysis. Auto-injected Roslyn task will use build logs from this build. - task: DotNetCoreCLI@2 displayName: Build projects -@@ -50,4 +63,13 @@ stages: displayName: Test inputs: command: test From d923a5efc1295dce9bd0a4e357cd3ad6500fc3c9 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Thu, 29 Jan 2026 15:16:19 +0530 Subject: [PATCH 03/19] corrected yaml file --- .azuredevops/BuildAndTest.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.azuredevops/BuildAndTest.yml b/.azuredevops/BuildAndTest.yml index 5bece42..36b9a5b 100644 --- a/.azuredevops/BuildAndTest.yml +++ b/.azuredevops/BuildAndTest.yml @@ -23,8 +23,6 @@ stages: displayName: Build And Test jobs: - ${{ each config in parameters.buildConfigs }}: - - job: build_${{ config.pool.os }} - displayName: Building and Testing on ${{ config.pool.os }} - job: build_${{ replace(config.runtime, '-', '_') }} displayName: Building and Testing on ${{ config.runtime }} pool: @@ -57,11 +55,15 @@ stages: # 1ES PT requires explicit build task for Roslyn analysis. Auto-injected Roslyn task will use build logs from this build. - task: DotNetCoreCLI@2 displayName: Build projects + inputs: + command: 'build' + arguments: --no-restore + projects: '**/*.csproj' + - task: DotNetCoreCLI@2 displayName: Test inputs: command: test arguments: --no-restore --no-build --verbosity normal - arguments: --no-restore --no-build --verbosity normal - task: DotNetCoreCLI@2 displayName: Publish artifacts inputs: @@ -70,4 +72,4 @@ stages: arguments: --configuration release --self-contained true --runtime ${{ config.runtime }} --output dist/${{ config.runtime }} publishWebProjects: false zipAfterPublish: false - modifyOutputPath: true + modifyOutputPath: true \ No newline at end of file From 49bfd39dc7a71de48ca537e9485b43943f7d6556 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Thu, 29 Jan 2026 15:36:53 +0530 Subject: [PATCH 04/19] corrected yaml file --- .azuredevops/BuildAndTest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/BuildAndTest.yml b/.azuredevops/BuildAndTest.yml index 36b9a5b..d073bb6 100644 --- a/.azuredevops/BuildAndTest.yml +++ b/.azuredevops/BuildAndTest.yml @@ -44,6 +44,8 @@ stages: displayName: Use NuGet 6.x inputs: versionSpec: 6.x + - task: NuGetAuthenticate@1 + displayName: Authenticate to Azure Artifacts - task: DotNetCoreCLI@2 displayName: Install dependencies inputs: From 6bcade42384dc9593d1a825319c63fec2b903c55 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Fri, 30 Jan 2026 04:08:27 +0530 Subject: [PATCH 05/19] added linux executable for distribution --- .azuredevops/release.yml | 60 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 7a83512..234ed92 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -27,6 +27,12 @@ parameters: os: macOS runtime: osx-arm64 archiveExt: tar.gz + - pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + runtime: linux-x64 + archiveExt: tar.gz variables: - name: tags @@ -252,6 +258,41 @@ extends: destinationFolder: $(artifactsPath)-${{ config.runtime }} cleanDestinationFolder: true overwriteExistingFiles: true + # Linux signing with ESRP + - task: EsrpCodeSigning@5 + displayName: Sign artifacts linux-x64 + condition: eq('${{ config.runtime }}', 'linux-x64') + inputs: + ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + AppRegistrationClientId: $(SIGNING_AAD_ID) + AppRegistrationTenantId: $(SIGNING_TENANT_ID) + AuthAKVName: $(AZURE_VAULT) + AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) + AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) + FolderPath: $(artifactsPath)-${{ config.runtime }}/AzureAuth + Pattern: 'azureauth,*.so,*.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode": "$(SIGNING_KEY_CODE_LINUX)", + "OperationCode": "LinuxSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + }, + { + "KeyCode": "$(SIGNING_KEY_CODE_LINUX)", + "OperationCode": "LinuxVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + PendingAnalysisWaitTimeoutMinutes: '5' # We rename the signed artifacts to avoid conflicts with the unsigned pipeline artifacts from the previous stage. - task: PowerShell@2 displayName: Rename signed artifacts @@ -329,6 +370,22 @@ extends: archiveType: tar tarCompression: gz archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz + - task: Bash@3 + displayName: Prepare linux-x64 executables + inputs: + workingDirectory: $(Build.ArtifactStagingDirectory) + targetType: inline + script: | + cd azureauth-${{ parameters.version }}-linux-x64-signed/AzureAuth + chmod +x azureauth createdump *.so + - task: ArchiveFiles@2 + displayName: Create linux-x64 archive + inputs: + rootFolderOrFile: $(artifactsPath)-linux-x64-signed/AzureAuth + includeRootFolder: false + archiveType: tar + tarCompression: gz + archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-x64.tar.gz - stage: release displayName: Release @@ -376,4 +433,5 @@ extends: assets: | $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-x64.zip $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-x64.tar.gz - $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz \ No newline at end of file + $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz + $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-x64.tar.gz \ No newline at end of file From 68b70f6c1a26bc183b386ec725775605321837ea Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Fri, 30 Jan 2026 14:00:19 +0530 Subject: [PATCH 06/19] added nuget authenticate task --- .azuredevops/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 234ed92..36232f8 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -114,6 +114,8 @@ extends: displayName: Use NuGet 6.x inputs: versionSpec: 6.x + - task: NuGetAuthenticate@1 + displayName: Authenticate to Azure Artifacts - task: DotNetCoreCLI@2 displayName: Install dependencies inputs: From d51f3a1b27c327cf54fd67ea5c20fca368002e49 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Fri, 30 Jan 2026 15:26:16 +0530 Subject: [PATCH 07/19] correcting esrp service connection task --- .azuredevops/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 36232f8..6283673 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -174,6 +174,7 @@ extends: condition: eq('${{ config.runtime }}', 'win-x64') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) AuthAKVName: $(AZURE_VAULT) @@ -223,7 +224,7 @@ extends: condition: startsWith('${{ config.runtime }}', 'osx') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) - AppRegistrationClientId: $(SIGNING_AAD_ID) + UseMSIAuthentication: true AppRegistrationTenantId: $(SIGNING_TENANT_ID) AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) @@ -266,6 +267,7 @@ extends: condition: eq('${{ config.runtime }}', 'linux-x64') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) AuthAKVName: $(AZURE_VAULT) From d890a529560a225d6f3cc46be090a0c70540110b Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Fri, 30 Jan 2026 16:30:24 +0530 Subject: [PATCH 08/19] correcting esrp service connection --- .azuredevops/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 6283673..22ea0d7 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -177,6 +177,7 @@ extends: UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) + EsrpClientId: $(SIGNING_AAD_ID) AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) @@ -227,6 +228,7 @@ extends: UseMSIAuthentication: true AppRegistrationTenantId: $(SIGNING_TENANT_ID) AuthAKVName: $(AZURE_VAULT) + EsrpClientId: $(SIGNING_AAD_ID) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) FolderPath: $(Build.ArtifactStagingDirectory) @@ -270,6 +272,7 @@ extends: UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) + EsrpClientId: $(SIGNING_AAD_ID) AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) From add917924ae9e9a6cde34282f2f9d6a91ad3a885 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Fri, 30 Jan 2026 17:38:02 +0530 Subject: [PATCH 09/19] corrected esrp for osx distribution --- .azuredevops/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 22ea0d7..b4562fd 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -226,6 +226,7 @@ extends: inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) UseMSIAuthentication: true + AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) AuthAKVName: $(AZURE_VAULT) EsrpClientId: $(SIGNING_AAD_ID) From c899826a83ec9c2d19811914a5bdae9303e3954b Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Tue, 3 Feb 2026 23:44:48 +0530 Subject: [PATCH 10/19] added linux module --- .azuredevops/BuildAndTest.yml | 12 ++++ .azuredevops/release.yml | 113 ++++++++++++++++++++++++++++------ 2 files changed, 107 insertions(+), 18 deletions(-) diff --git a/.azuredevops/BuildAndTest.yml b/.azuredevops/BuildAndTest.yml index d073bb6..10ea55d 100644 --- a/.azuredevops/BuildAndTest.yml +++ b/.azuredevops/BuildAndTest.yml @@ -17,6 +17,18 @@ parameters: image: macOS-latest os: macOS runtime: osx-x64 + - pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-latest + os: windows + runtime: win-arm64 + archiveExt: zip + - pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + runtime: linux-arm64 + archiveExt: tar.gz stages: - stage: build diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 234ed92..86735fc 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -32,7 +32,19 @@ parameters: image: ubuntu-latest os: linux runtime: linux-x64 - archiveExt: tar.gz + archiveExt: deb + - pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: windows-latest + os: windows + runtime: win-arm64 + archiveExt: zip + - pool: + name: Azure-Pipelines-1ESPT-ExDShared + image: ubuntu-latest + os: linux + runtime: linux-arm64 + archiveExt: deb variables: - name: tags @@ -168,8 +180,8 @@ extends: targetPath: $(artifactsPath)-${{ config.runtime }}-signed steps: - task: EsrpCodeSigning@5 - displayName: Sign artifacts win-x64 - condition: eq('${{ config.runtime }}', 'win-x64') + displayName: Sign artifacts win + condition: startsWith('${{ config.runtime }}', 'win') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) AppRegistrationClientId: $(SIGNING_AAD_ID) @@ -207,10 +219,10 @@ extends: MaxConcurrency: '50' MaxRetryAttempts: '5' PendingAnalysisWaitTimeoutMinutes: '5' - # We need to zip the artifacts for osx before sending to ESRP for signing. + # We need to zip the artifacts for osx and linux before sending to ESRP for signing. - task: ArchiveFiles@2 displayName: Codesigning - zip artifacts to send to ESRP - condition: startsWith('${{ config.runtime }}', 'osx') + condition: or(startsWith('${{ config.runtime }}','osx'), startsWith('${{ config.runtime }}','linux')) inputs: rootFolderOrFile: $(artifactsPath)-${{ config.runtime }} includeRootFolder: false @@ -252,7 +264,7 @@ extends: PendingAnalysisWaitTimeoutMinutes: '5' - task: ExtractFiles@1 displayName: Extract signed artifacts osx - condition: startsWith('${{ config.runtime }}', 'osx') + condition: or(startsWith('${{ config.runtime }}','osx'), startsWith('${{ config.runtime }}','linux')) inputs: archiveFilePatterns: $(artifactsPath)-${{ config.runtime }}.zip destinationFolder: $(artifactsPath)-${{ config.runtime }} @@ -261,7 +273,7 @@ extends: # Linux signing with ESRP - task: EsrpCodeSigning@5 displayName: Sign artifacts linux-x64 - condition: eq('${{ config.runtime }}', 'linux-x64') + condition: startsWith('${{ config.runtime }}','linux') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) AppRegistrationClientId: $(SIGNING_AAD_ID) @@ -371,21 +383,85 @@ extends: tarCompression: gz archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz - task: Bash@3 - displayName: Prepare linux-x64 executables + displayName: Create linux-x64 Debian package inputs: workingDirectory: $(Build.ArtifactStagingDirectory) targetType: inline script: | - cd azureauth-${{ parameters.version }}-linux-x64-signed/AzureAuth - chmod +x azureauth createdump *.so - - task: ArchiveFiles@2 - displayName: Create linux-x64 archive + set -e + VERSION="${{ parameters.version }}" + ARCH="amd64" + PKG_NAME="azureauth" + PKG_DIR="${PKG_NAME}_${VERSION}-1_${ARCH}" + + # Create Debian package directory structure + mkdir -p "${PKG_DIR}/DEBIAN" + mkdir -p "${PKG_DIR}/usr/bin" + mkdir -p "${PKG_DIR}/usr/lib/azureauth" + + # Copy binaries + cp -r azureauth-${{ parameters.version }}-linux-x64-signed/AzureAuth/* "${PKG_DIR}/usr/lib/azureauth/" + chmod +x "${PKG_DIR}/usr/lib/azureauth/azureauth" + chmod +x "${PKG_DIR}/usr/lib/azureauth/createdump" + chmod +x "${PKG_DIR}/usr/lib/azureauth/"*.so + + # Create symlink script + ln -sf /usr/lib/azureauth/azureauth "${PKG_DIR}/usr/bin/azureauth" + + # Create control file + cat > "${PKG_DIR}/DEBIAN/control" << EOF + Package: ${PKG_NAME} + Version: ${VERSION}-1 + Section: misc + Priority: optional + Architecture: ${ARCH} + Maintainer: ES365 Security Experience Team + Description: A CLI interface to MSAL authentication. Visit https://aka.ms/azureauth for more information + EOF + + # Build the package + dpkg-deb --build "${PKG_DIR}" + mv "${PKG_DIR}.deb" "azureauth-${{ parameters.version }}-packaged/azureauth-${{ parameters.version }}-linux-x64.deb" + - task: Bash@3 + displayName: Create linux-arm64 Debian package inputs: - rootFolderOrFile: $(artifactsPath)-linux-x64-signed/AzureAuth - includeRootFolder: false - archiveType: tar - tarCompression: gz - archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-x64.tar.gz + workingDirectory: $(Build.ArtifactStagingDirectory) + targetType: inline + script: | + set -e + VERSION="${{ parameters.version }}" + ARCH="arm64" + PKG_NAME="azureauth" + PKG_DIR="${PKG_NAME}_${VERSION}-1_${ARCH}" + + # Create Debian package directory structure + mkdir -p "${PKG_DIR}/DEBIAN" + mkdir -p "${PKG_DIR}/usr/bin" + mkdir -p "${PKG_DIR}/usr/lib/azureauth" + + # Copy binaries + cp -r azureauth-${{ parameters.version }}-linux-arm64-signed/AzureAuth/* "${PKG_DIR}/usr/lib/azureauth/" + chmod +x "${PKG_DIR}/usr/lib/azureauth/azureauth" + chmod +x "${PKG_DIR}/usr/lib/azureauth/createdump" + chmod +x "${PKG_DIR}/usr/lib/azureauth/"*.so + + # Create symlink script + ln -sf /usr/lib/azureauth/azureauth "${PKG_DIR}/usr/bin/azureauth" + + # Create control file + cat > "${PKG_DIR}/DEBIAN/control" << EOF + Package: ${PKG_NAME} + Version: ${VERSION}-1 + Section: misc + Priority: optional + Architecture: ${ARCH} + Maintainer: ES365 Security Experience Team + Description: A CLI interface to MSAL authentication. Visit https://aka.ms/azureauth for more information + EOF + + # Build the package + dpkg-deb --build "${PKG_DIR}" + mv "${PKG_DIR}.deb" "azureauth-${{ parameters.version }}-packaged/azureauth-${{ parameters.version }}-linux-arm64.deb" - stage: release displayName: Release @@ -434,4 +510,5 @@ extends: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-x64.zip $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-x64.tar.gz $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-osx-arm64.tar.gz - $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-x64.tar.gz \ No newline at end of file + $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-x64.deb + $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-linux-arm64.deb \ No newline at end of file From a8c3a945b2421b69ef802d66f3e5ce2459a642d5 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Tue, 3 Feb 2026 23:56:15 +0530 Subject: [PATCH 11/19] added linux module and fixed esrp module --- .azuredevops/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 86735fc..24d9e39 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -184,8 +184,10 @@ extends: condition: startsWith('${{ config.runtime }}', 'win') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) + EsrpClientId: "9f327a71-bffd-4a67-8a7b-443e11df2909" AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) @@ -233,8 +235,10 @@ extends: condition: startsWith('${{ config.runtime }}', 'osx') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) + EsrpClientId: "9f327a71-bffd-4a67-8a7b-443e11df2909" AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) @@ -276,8 +280,10 @@ extends: condition: startsWith('${{ config.runtime }}','linux') inputs: ConnectedServiceName: $(ESRP_KV_SERVICE_CONNECTION) + UseMSIAuthentication: true AppRegistrationClientId: $(SIGNING_AAD_ID) AppRegistrationTenantId: $(SIGNING_TENANT_ID) + EsrpClientId: "9f327a71-bffd-4a67-8a7b-443e11df2909" AuthAKVName: $(AZURE_VAULT) AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) From 83612bc931896ac7de5a17fc4ca4e28d4e315a58 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Wed, 4 Feb 2026 02:05:01 +0530 Subject: [PATCH 12/19] added nuget authenticate task --- .azuredevops/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 24d9e39..b3963b5 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -126,6 +126,8 @@ extends: displayName: Use NuGet 6.x inputs: versionSpec: 6.x + - task: NuGetAuthenticate@1 + displayName: Authenticate to Azure Artifacts - task: DotNetCoreCLI@2 displayName: Install dependencies inputs: From 167bda8d0f2bc71043dfa98d26c1b3337e27a797 Mon Sep 17 00:00:00 2001 From: spaudwal Date: Sat, 7 Feb 2026 01:57:17 +0530 Subject: [PATCH 13/19] added zip signing for linux package --- .azuredevops/release.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index b3963b5..02ad34e 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -268,15 +268,7 @@ extends: MaxConcurrency: '50' MaxRetryAttempts: '5' PendingAnalysisWaitTimeoutMinutes: '5' - - task: ExtractFiles@1 - displayName: Extract signed artifacts osx - condition: or(startsWith('${{ config.runtime }}','osx'), startsWith('${{ config.runtime }}','linux')) - inputs: - archiveFilePatterns: $(artifactsPath)-${{ config.runtime }}.zip - destinationFolder: $(artifactsPath)-${{ config.runtime }} - cleanDestinationFolder: true - overwriteExistingFiles: true - # Linux signing with ESRP + # Linux signing with ESRP - task: EsrpCodeSigning@5 displayName: Sign artifacts linux-x64 condition: startsWith('${{ config.runtime }}','linux') @@ -290,7 +282,7 @@ extends: AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME) AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME) FolderPath: $(artifactsPath)-${{ config.runtime }}/AzureAuth - Pattern: 'azureauth,*.so,*.dll' + Pattern: 'azureauth-${{ parameters.version }}-${{ config.runtime }}.zip' signConfigType: 'inlineSignParams' inlineOperation: | [ @@ -313,6 +305,14 @@ extends: MaxConcurrency: '50' MaxRetryAttempts: '5' PendingAnalysisWaitTimeoutMinutes: '5' + - task: ExtractFiles@1 + displayName: Extract signed artifacts osx + condition: or(startsWith('${{ config.runtime }}','osx'), startsWith('${{ config.runtime }}','linux')) + inputs: + archiveFilePatterns: $(artifactsPath)-${{ config.runtime }}.zip + destinationFolder: $(artifactsPath)-${{ config.runtime }} + cleanDestinationFolder: true + overwriteExistingFiles: true # We rename the signed artifacts to avoid conflicts with the unsigned pipeline artifacts from the previous stage. - task: PowerShell@2 displayName: Rename signed artifacts From 773d86fbf660e2edc707fc8c93da0ad3c13ad2c0 Mon Sep 17 00:00:00 2001 From: spaudwal Date: Sat, 7 Feb 2026 03:15:55 +0530 Subject: [PATCH 14/19] added binskim suppression file --- .gdn/.gdnbaselines | 29 +++++++++++++++++++++++++++++ .gdn/.gdnsuppress | 29 +++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .gdn/.gdnbaselines create mode 100644 .gdn/.gdnsuppress diff --git a/.gdn/.gdnbaselines b/.gdn/.gdnbaselines new file mode 100644 index 0000000..f9e304d --- /dev/null +++ b/.gdn/.gdnbaselines @@ -0,0 +1,29 @@ +{ + "hydrated": true, + "properties": { + "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/baselines" + }, + "version": "1.0.0", + "baselines": { + "guardian-baseline": { + "name": "guardian-baseline", + "createdDate": "2026-02-06 20:55:03Z", + "lastUpdatedDate": "2026-02-06 20:55:03Z" + } + }, + "results": { + "2960648537ceab2dc9e4d4c3ff0f34bcc246699ca797e6d0588cfdb877e66e36": { + "signature": "2960648537ceab2dc9e4d4c3ff0f34bcc246699ca797e6d0588cfdb877e66e36", + "alternativeSignatures": [ + "d54c1b18e7a800bc62578ecf06fbadaa70e667f9f62d2d5b60e12fcfc8cba11e" + ], + "target": "**/AzureAuth/*.dll", + "memberOf": [ + "guardian-baseline" + ], + "tool": "binskim", + "ruleId": "BA2021", + "createdDate": "2026-02-06 20:55:03Z" + } + } +} diff --git a/.gdn/.gdnsuppress b/.gdn/.gdnsuppress new file mode 100644 index 0000000..87fe407 --- /dev/null +++ b/.gdn/.gdnsuppress @@ -0,0 +1,29 @@ +{ + "hydrated": true, + "properties": { + "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions" + }, + "version": "1.0.0", + "suppressionSets": { + "default": { + "name": "default", + "createdDate": "2026-02-06 20:55:03Z", + "lastUpdatedDate": "2026-02-06 20:55:03Z" + } + }, + "results": { + "2960648537ceab2dc9e4d4c3ff0f34bcc246699ca797e6d0588cfdb877e66e36": { + "signature": "2960648537ceab2dc9e4d4c3ff0f34bcc246699ca797e6d0588cfdb877e66e36", + "alternativeSignatures": [ + "d54c1b18e7a800bc62578ecf06fbadaa70e667f9f62d2d5b60e12fcfc8cba11e" + ], + "target": "**/AzureAuth/*.dll", + "memberOf": [ + "default" + ], + "tool": "binskim", + "ruleId": "BA2021", + "createdDate": "2026-02-06 20:55:03Z" + } + } +} From b8a7ba406bd355edc7505a7b610667753287f371 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Sun, 8 Feb 2026 15:26:49 +0530 Subject: [PATCH 15/19] using unofficial template --- .azuredevops/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 02ad34e..6ba1061 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -69,7 +69,7 @@ resources: ref: refs/tags/release extends: - template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates + template: v1/Office.UnOfficial.PipelineTemplate.yml@OfficePipelineTemplates parameters: pool: name: Azure-Pipelines-1ESPT-ExDShared From b3c08e81361f46c75554a33a0b8955848e14820d Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Sun, 8 Feb 2026 15:28:31 +0530 Subject: [PATCH 16/19] using unofficial template --- .azuredevops/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 6ba1061..fbf2eb6 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -69,7 +69,7 @@ resources: ref: refs/tags/release extends: - template: v1/Office.UnOfficial.PipelineTemplate.yml@OfficePipelineTemplates + template: v1/Office.Unofficial.PipelineTemplate.yml@OfficePipelineTemplates parameters: pool: name: Azure-Pipelines-1ESPT-ExDShared From 9dd1b9e6ebd9c284eaa90d59a036474398cda4a5 Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Sun, 8 Feb 2026 15:29:55 +0530 Subject: [PATCH 17/19] removed production release job --- .azuredevops/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index fbf2eb6..5ed1731 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -494,7 +494,7 @@ extends: os: linux templateContext: type: releaseJob - isProduction: true + isProduction: false inputs: - input: pipelineArtifact artifactName: azureauth-${{ parameters.version }}-packaged From b40ebb6d1987b8b574c1f3b12b2b3fdd4a03676b Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Sun, 8 Feb 2026 16:43:36 +0530 Subject: [PATCH 18/19] removing guardian task --- .azuredevops/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 5ed1731..0e09cfe 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -76,6 +76,7 @@ extends: image: ubuntu-latest os: linux sdl: + enableAllTools: false sourceAnalysisPool: name: Azure-Pipelines-1ESPT-ExDShared image: windows-latest From f1f66837e7352804d4e3d7ad40a429d3b1f9359d Mon Sep 17 00:00:00 2001 From: Siddharth Paudwal Date: Sun, 8 Feb 2026 17:12:48 +0530 Subject: [PATCH 19/19] added win arm64 archive --- .azuredevops/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.azuredevops/release.yml b/.azuredevops/release.yml index 0e09cfe..fd2a471 100644 --- a/.azuredevops/release.yml +++ b/.azuredevops/release.yml @@ -359,6 +359,13 @@ extends: includeRootFolder: false archiveType: zip archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-x64.zip + - task: ArchiveFiles@2 + displayName: Create win-arm64 archive + inputs: + rootFolderOrFile: $(artifactsPath)-win-arm64-signed/AzureAuth + includeRootFolder: false + archiveType: zip + archiveFile: $(artifactsPath)-packaged/azureauth-${{ parameters.version }}-win-arm64.zip - task: Bash@3 displayName: Prepare osx-x64 executables inputs: