Skip to content

Replace Go-based MCP publisher with native PowerShell implementation #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Replace Go-based MCP publisher with native PowerShell implementation #1498

Copilot wants to merge 6 commits into from
+286 −48

Conversation

Copy link
Contributor

Copilot AI commented Jan 13, 2026
edited
Loading

The deployment pipeline clones a third-party Go repository and builds a publisher tool for MCP registry authentication. This approach introduces security exposure and maintenance overhead.

Changes

New file: eng/scripts/Publish-McpRegistry.ps1

  • Implements DNS authentication with Azure Key Vault ECDSA P-384 signing
  • Direct REST API calls to Azure Key Vault (Get Key, Sign) and MCP registry (auth, publish)
  • Replaces ~100 lines of Go build orchestration with 255 lines of PowerShell cryptographic primitives

Key implementation details:

# Authentication flow
Get-AzureKeyVaultPublicKey           # Retrieve EC P-384 public key
Get-CompressedPublicKey              # Format for DNS proof record
Invoke-AzureKeyVaultSign             # Sign SHA-384 digest with ES384
Get-McpRegistryToken                 # Exchange signature for JWT
Publish-McpServerJson                # POST to /v0/publish with Bearer token

Updated: eng/scripts/Deploy-ServerJson.ps1

  • Removed Go installation, repo cloning, and build steps
  • Removed BuildOnly parameter
  • Direct function calls to Publish-ToMcpRegistry

Updated: eng/pipelines/templates/jobs/update-mcp-repository.yml

  • Task display name reflects PowerShell implementation

Authentication Flow

Mirrors the Go implementation's DNS + Azure Key Vault flow:

  1. Retrieve ECDSA P-384 public key via Azure Key Vault REST API
  2. Generate RFC3339 timestamp, compute SHA-384 hash
  3. Sign hash with Azure Key Vault (ES384), convert base64url → hex
  4. Exchange at /v0/auth/dns for JWT token
  5. Publish server.json to /v0/publish with Bearer token

Requires Az.Accounts module (available in AzureCLI@2 task environment).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • learn.microsoft.com
    • Triggering command: /usr/bin/curl curl -s REDACTED grep -l (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Look at replacing MCP's go based publisher tool with powershell</issue_title>
<issue_description>Our deployment steps for the central mcp registry have is cloning a 3rd party repo and building a go tool to publish server.json files. I suspect the API call is just signed with our keyvault based private key or we're using the key to mint a bearer token.

Replacing that process with powershell scripts in our repo would reduce our security exposure at the cost of owning maintenance for our own publishing script.</issue_description>

<agent_instructions>update the Deploy-ServerJson.ps1 script to make direct rest calls to the MCP staging registry as opposed to building the golang publisher and invoking it to make the authenticated http request. Base your implementation on the dns + azure-key-vault codepath through https://github.com/modelcontextprotocol/registry/tree/main/cmd/publisher</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@joelverhagen I implemented the Go based authentication code for ECDSA P-384 in both the publish tool and auth endpoint. It should be possible to do this in PowerShell. Something needs to compute a timestamp, hash it using SHA-384, and sign the digest with Azure KV sign endpoint. There are other parameters but that's the "tricky" part. @hallipr I think we have some existing powershell scripts that do token minting and KV signing for doing GitHub app installation auth. Maybe that's also sha-384 and we can just borrow that.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Replace MCP's Go based publisher with PowerShell scripts Replace Go-based MCP publisher with native PowerShell implementation Jan 13, 2026
Copilot AI requested a review from hallipr January 13, 2026 23:45
@hallipr
Copy link
Member

hallipr commented Jan 14, 2026

@conniey and @joelpineiro , this looks right to me. You?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hallipr hallipr Awaiting requested review from hallipr

At least 1 approving review is required to merge this pull request.

Assignees

@hallipr hallipr

Copilot code review Copilot

Labels

None yet

Projects

Azure MCP Server
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Look at replacing MCP's go based publisher tool with powershell

2 participants

@hallipr