Downloading Extension Certificates from Azure DevOps Marketplace programmatically
When you have a back-end service that receives requests from an extension, to verify these calls are coming from your extension running in Azure DevOps, you can download your extension’s certificate by signing into Azure DevOps Marketplace and then install it on your back-end service. These certificates are unique and generated when the extensions are published. More details about authentication can be found here.
Existing CLI tools
At the time of writing, both Node CLI for Azure DevOp (tfx-cli) and Azure DevOps Extension for Azure CLI don’t support downloading certificates:
Fortunately, this can be achieved by using REST API.
Using REST API to download certificates
The first step is preparing an authorization token.
#!/bin/bash# `$pat`: Your personal access token
pat_b64=$(echo -n ":$pat" | base64)
You can create a Personal Access Token from your Azure DevOps Organization. Note that your token needs to be encoded using base64 so that it can be used later in the REST API.
The second step is constructing the REST endpoint.
#!/bin/bash# `$publisher`: Your Publisher ID
# `$extension`: Your Extension ID
# `$version`: Your Extension Version. This doesn't need to be the latest version. Any older version that used to be published also works (e.g. `0.0.1`, `0.0.2`).url="https://marketplace.visualstudio.com/_apis/gallery/publishers/$publisher/extensions/$extension/certificates/$version"
Although the REST endpoint is undocumented, you can find it being used in the Azure DevOps Extension API source code.
Finally, you can use curl to send a GET request and retrieve your extension’s certificate programmatically.
#!/bin/bashcurl -s -X GET "$url" \
-H "accept: application/json; api-version=5.2-preview.1" \
-H "authorization: Basic $pat_b64" \
-H "cache-control: no-cache" \
-H "content-type: application/json"
