Wire CLI archive verification into CI pipelines

Add post-signing verification steps to both build_sign_native.yml
(macOS/Linux) and BuildAndTest.yml (Windows) that run the verification
scripts after the CLI archives are built and signed.

Verification runs for RIDs that can fully execute on the build agent:
  - macOS (Apple Silicon): osx-arm64 only
  - Linux (amd64): linux-x64 only
  - Windows: win-x64

This ensures that signing/permissions regressions (like the ones fixed
in this PR) are caught during the official build before release.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: radical

eng/pipelines/templates/BuildAndTest.yml

@@ -92,6 +92,27 @@ steps:
               /p:BuildExtension=true
       displayName: 🟣Build
 
+    # Verify the signed win-x64 CLI archive works (version check + project creation + build)
+    - pwsh: |
+        $ErrorActionPreference = 'Stop'
+        $archiveDir = "${{ parameters.repoArtifactsPath }}/packages/${{ parameters.buildConfig }}"
+        $archive = Get-ChildItem -Path $archiveDir -Filter "aspire-cli-win-x64-*.zip" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1
+        if (-not $archive) {
+          Write-Host "##[warning]No win-x64 CLI archive found - skipping verification"
+          exit 0
+        }
+        Write-Host "Found archive: $($archive.FullName)"
+        & "$(Build.SourcesDirectory)/eng/scripts/verify-cli-archive.ps1" -ArchivePath $archive.FullName
+        if ($LASTEXITCODE -ne 0) {
+          Write-Host "##[error]CLI archive verification failed"
+          exit 1
+        }
+      displayName: 🟣Verify CLI archive (win-x64)
+      condition: succeeded()
+      env:
+        ASPIRE_CLI_TELEMETRY_OPTOUT: 'true'
+        DOTNET_CLI_TELEMETRY_OPTOUT: 'true'
+
     # Log MicroBuild environment for debugging
     # MicroBuildOutputFolderOverride is set by the MicroBuildSigningPlugin task in eng/common/templates-official/job/onelocbuild.yml
     # which is installed via the Arcade SDK's install-microbuild.yml template that runs before our build steps.

eng/pipelines/templates/build_sign_native.yml

@@ -140,6 +140,29 @@ jobs:
             env:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken) # Needed for the signing task
 
+          # Verify the signed CLI archive can execute and create a project.
+          # Run for RIDs that can fully execute on the build agent:
+          #   macOS (Apple Silicon): osx-arm64 only (osx-x64 via Rosetta can run the CLI
+          #     but aspire-managed template resolution fails)
+          #   Linux (amd64): linux-x64 only (linux-arm64/linux-musl-x64 are cross-compiled)
+          - ${{ if or(and(eq(parameters.agentOs, 'macos'), eq(targetRid, 'osx-arm64')), and(eq(parameters.agentOs, 'linux'), eq(targetRid, 'linux-x64'))) }}:
+            - script: |
+                set -euo pipefail
+                echo "Finding CLI archive for ${{ targetRid }}..."
+                ARCHIVE=$(find "$(Build.SourcesDirectory)/artifacts/packages/$(_BuildConfig)" -name "aspire-cli-${{ targetRid }}-*.tar.gz" -type f | head -1)
+                if [ -z "$ARCHIVE" ]; then
+                  echo "##[error]No CLI archive found for ${{ targetRid }}"
+                  exit 1
+                fi
+                echo "Found archive: $ARCHIVE"
+                chmod +x "$(Build.SourcesDirectory)/eng/scripts/verify-cli-archive.sh"
+                "$(Build.SourcesDirectory)/eng/scripts/verify-cli-archive.sh" "$ARCHIVE"
+              displayName: 🟣Verify CLI archive (${{ targetRid }})
+              condition: succeeded()
+              env:
+                ASPIRE_CLI_TELEMETRY_OPTOUT: 'true'
+                DOTNET_CLI_TELEMETRY_OPTOUT: 'true'
+
           - task: 1ES.PublishBuildArtifacts@1
             displayName: 🟣Publish Artifacts
             condition: always()