Add support to publish servers as MCP Bundles

[vcolin7]

What does this PR do?

This PR implements end-to-end MCPB (MCP Bundle) packaging and signing infrastructure using Microsoft's ESRP (Enterprise Signing and Release Pipeline) service. MCPB is a standardized bundle format for distributing MCP servers, similar to Chrome extensions (.crx) or VS Code extensions (.vsix).

Documentation

• Added comprehensive design documentation for MCPB signing via ESRP (mcpb-signing-via-esrp.md)
• Updated eng/README to include MCPB

PowerShell Scripts

• Added:
  • Pack-Mcpb.ps1 - Packages trimmed and self-contained server binaries into MCPB format
  • Stage-McpbForSigning.ps1 - Prepares MCPB files for ESRP signing
  • Apply-McpbSignatures.ps1 - Applies ESRP detached signatures to MCPB files
  • Verify-McpbSignatures.ps1 - Validates MCPB signatures
  • Update-ServerJsonMcpbHashes.ps1 - Updates server.json with MCPB hashes
• Updated:
  • New-ServerJson.ps1 - Added entries for MCPB files

Pipeline Templates

• Added:
  • pack-and-sign-mcpb.yml - Main packaging and signing job
  • release-mcpb.yml - Release MCPB files to GitHub releases
• Updated:
  • common.yml
  • release.yml
  • sign-and-pack.yml
  • update-mcp-repository.yml
  • Each server's build.yml
  • 1es-reditect - Fixed issue with Go package downloads. Module downloads now go through Microsoft's internal proxy server instead of going directly to the public internet (proxy.golang.org).

Server Manifests

• Added a manifest.json for all servers. These files serve as a base that gets updated during release to include the most recent server metadata (version, tools, etc.).
• Updated server.json for Azure and Template servers to list MCP Bundles in the official MCP registry.

Testing

• MCPB packaging produces valid bundles for all servers
• ESRP signing workflow completes successfully
• mcpb verify validates signed bundles
• GitHub release includes signed MCPB files
• Official MCP Registry shows MCPB entries for Template MCP Server

GitHub issue number?

Fixes: #128

Pre-merge Checklist

• Required for All PRs
  • Read contribution guidelines
  • PR title clearly describes the change
  • Commit history is clean with descriptive messages (cleanup guide)
  • Added comprehensive tests for new/modified functionality
  • Updated servers/Azure.Mcp.Server/CHANGELOG.md and/or servers/Fabric.Mcp.Server/CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
• For MCP tool changes:
  • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
  • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
  • Validate README.md changes using script at eng/scripts/Process-PackageReadMe.ps1. See Package README
  • Updated command list in /servers/Azure.Mcp.Server/docs/azmcp-commands.md and/or /docs/fabric-commands.md
  • Run .\eng\scripts\Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
  • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
  • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
• Extra steps for Azure MCP Server tool changes:
  • Updated test prompts in /servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
  • 👉 For Community (non-Microsoft team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

[Copilot]

Pull request overview

This PR introduces end-to-end infrastructure to package MCP servers as MCP Bundles (.mcpb), sign them via ESRP detached PKCS#7 signing, publish bundles to GitHub Releases, and surface MCPB entries in server.json (including SHA256 hash updates during publishing).

Changes:

• Added MCPB packaging/signing PowerShell scripts and new pipeline job templates to pack, sign, verify, and publish .mcpb artifacts.
• Added per-server MCPB manifests/icons and updated server registry metadata (server.json) to include MCPB package entries.
• Added/updated documentation describing MCPB packaging/signing and updated engineering docs/pipeline parameters to support PackageMCPB.

Reviewed changes

Copilot reviewed 24 out of 28 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
servers/Template.Mcp.Server/server.json	Adds MCPB package entries (URLs + SHA placeholders) to registry metadata.
servers/Template.Mcp.Server/mcpb/servericon.png	Adds MCPB icon asset for Template server.
servers/Template.Mcp.Server/mcpb/manifest.json	Adds MCPB bundle manifest for Template server.
servers/Template.Mcp.Server/build.yml	Introduces PackageMCPB parameter wiring for Template pipeline.
servers/Fabric.Mcp.Server/mcpb/servericon.png	Adds MCPB icon asset for Fabric server.
servers/Fabric.Mcp.Server/mcpb/manifest.json	Adds MCPB bundle manifest for Fabric server.
servers/Fabric.Mcp.Server/build.yml	Introduces PackageMCPB parameter wiring for Fabric pipeline.
servers/Azure.Mcp.Server/server.json	Adds MCPB package entries (URLs + SHA placeholders) to registry metadata.
servers/Azure.Mcp.Server/mcpb/servericon.png	Adds MCPB icon asset for Azure server.
servers/Azure.Mcp.Server/mcpb/manifest.json	Adds MCPB bundle manifest for Azure server.
servers/Azure.Mcp.Server/changelog-entries/1770669516879.yaml	Adds changelog entry noting MCPB support.
servers/Azure.Mcp.Server/build.yml	Enables PackageMCPB by default for Azure pipeline.
eng/scripts/Verify-McpbSignatures.ps1	Adds MCPB signature verification script (mcpb info/verify).
eng/scripts/Update-ServerJsonMcpbHashes.ps1	Adds script to compute SHA256 for signed bundles and update server.json.
eng/scripts/Stage-McpbForSigning.ps1	Adds staging script for ESRP detached signing workflow.
eng/scripts/Pack-Mcpb.ps1	Adds packaging script to generate .mcpb bundles from trimmed binaries + manifests.
eng/scripts/New-ServerJson.ps1	Updates server.json generation to populate MCPB download URLs.
eng/scripts/Apply-McpbSignatures.ps1	Adds script to embed detached PKCS#7 signatures into MCPB format.
eng/pipelines/templates/jobs/update-mcp-repository.yml	Updates MCP repository publish job to apply MCPB SHA256 hashes.
eng/pipelines/templates/jobs/sign-and-pack.yml	Adds PackageMCPB parameter and MCPB pack/sign job inclusion.
eng/pipelines/templates/jobs/release.yml	Adds MCPB publishing job and wires MCPB into release flow.
eng/pipelines/templates/jobs/mcpb/release-mcpb.yml	Adds job template to upload signed .mcpb assets to GitHub Releases.
eng/pipelines/templates/jobs/mcpb/pack-and-sign-mcpb.yml	Adds job template to pack, ESRP-sign, apply signatures, and verify MCPB bundles.
eng/pipelines/templates/common.yml	Plumbs PackageMCPB parameter through common pipeline template.
eng/pipelines/templates/1es-redirect.yml	Enables 1ES golang internal module proxy feature flag.
eng/README.md	Documents MCPB artifact type and related scripts/pipelines.
docs/design/mcpb-packaging-and-signing-via-esrp.md	Adds detailed design document for MCPB packaging/signing via ESRP.
.gitignore	Ignores .vscode/settings.json.