29 changed files with 421 additions and 802 deletions
--- a/.ci/apt-internal.gitlab-ci.yml
+++ b/.ci/apt-internal.gitlab-ci.yml
@ -1,151 +0,0 @@
 .register_inputs: &register_inputs
  stage: release-internal
  runOnBranches: "^master$"
  COMPONENT: "common"
 .register_inputs_stable_bookworm: &register_inputs_stable_bookworm
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "bookworm"
  SERIES: "stable"
 .register_inputs_stable_trixie: &register_inputs_stable_trixie
  <<: *register_inputs
  runOnChangesTo: ['RELEASE_NOTES']
  FLAVOR: "trixie"
  SERIES: "stable"
 .register_inputs_next_bookworm: &register_inputs_next_bookworm
  <<: *register_inputs
  FLAVOR: "bookworm"
  SERIES: next
 .register_inputs_next_trixie: &register_inputs_next_trixie
  <<: *register_inputs
  FLAVOR: "trixie"
  SERIES: next
 ################################################
 ### Generate Debian Package for Internal APT ###
 ################################################
 .cloudflared-apt-build: &cloudflared_apt_build
  stage: package
  needs:
    - ci-image-get-image-ref
    - linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
  image: $BUILD_IMAGE
  cache: {}
  script:
    - make cloudflared-deb
  artifacts:
    paths:
      - cloudflared*.deb
 ##############
 ### Stable ###
 ##############
 cloudflared-amd64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &amd64-stable-vars
    GOOS: linux
    GOARCH: amd64
    FIPS: true
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 cloudflared-arm64-stable:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-release]
  variables: &arm64-stable-vars
    GOOS: linux
    GOARCH: arm64
    FIPS: false # TUN-7595
    ORIGINAL_NAME: true
    CGO_ENABLED: 1
 ############
 ### Next ###
 ############
 cloudflared-amd64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *amd64-stable-vars
    NIGHTLY: true
 cloudflared-arm64-next:
  <<: *cloudflared_apt_build
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *arm64-stable-vars
    NIGHTLY: true
 include:
  - local: .ci/commons.gitlab-ci.yml
  ##########################################
  ### Publish Packages to Internal Repos ###
  ##########################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-amd64
      needs: &amd64-stable ["cloudflared-amd64-stable"]
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_bookworm
      jobPrefix: cloudflared-bookworm-arm64
      needs: &arm64-stable ["cloudflared-arm64-stable"]
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-amd64
      needs: *amd64-stable
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_stable_trixie
      jobPrefix: cloudflared-trixie-arm64
      needs: *arm64-stable
  ##################################################
  ### Publish Nightly Packages to Internal Repos ###
  ##################################################
  # Bookworm AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-amd64
      needs: &amd64-next ['cloudflared-amd64-next']
  # Bookworm ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_bookworm
      jobPrefix: cloudflared-nightly-bookworm-arm64
      needs: &arm64-next ['cloudflared-arm64-next']
  # Trixie AMD64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-amd64
      needs: *amd64-next
  # Trixie ARM64
  - component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
    inputs:
      <<: *register_inputs_next_trixie
      jobPrefix: cloudflared-nightly-trixie-arm64
      needs: *arm64-next
--- a/.ci/commons.gitlab-ci.yml
+++ b/.ci/commons.gitlab-ci.yml
@ -3,14 +3,14 @@
  # Rules to run the job only on the master branch
  run-on-master:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
+      when: always
    - when: never
  # Rules to run the job only on merge requests
  run-on-mr:
    - if: $CI_COMMIT_TAG
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: on_success
+      when: always
    - when: never
  # Rules to run the job on merge_requests and master branch
  run-always:
@ -18,16 +18,24 @@
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-      when: on_success
+      when: always
    - when: never
  # Rules to run the job only when a release happens
  run-on-release:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
          - 'RELEASE_NOTES'
      when: on_success
    - when: never
 # This before_script is injected into every job that runs on master meaning that if there is no tag the step
 # will succeed but only write "No tag present - Skipping" to the console.
 .check-tag:
  before_script:
    - |
      # Check if there is a Git tag pointing to HEAD
      echo "Tag found: $(git tag --points-at HEAD | grep .)"
      if git tag --points-at HEAD | grep .; then
        echo "Tag found: $(git tag --points-at HEAD | grep .)"
        export "VERSION=$(git tag --points-at HEAD | grep .)"
      else
        echo "No tag present — skipping."
        exit 0
      fi
 .component-tests:
  image: $BUILD_IMAGE
  rules:
--- a/.ci/image/Dockerfile
+++ b/.ci/image/Dockerfile
@ -7,7 +7,7 @@ RUN apt-get update && \
    apt-get install --no-install-recommends --allow-downgrades -y \
        build-essential \
        git \
-        go-boring=1.24.9-1 \
+        go-boring=1.24.6-1 \
        libffi-dev \
        procps \
        python3-dev \
@ -16,16 +16,7 @@ RUN apt-get update && \
        python3-venv \
        # libmsi and libgcab are libraries the wixl binary depends on.
        libmsi-dev \
-        libgcab-dev \
+        libgcab-dev && \
        # deb and rpm build tools
        rubygem-fpm \
        rpm \
        # create deb and rpm repository files
        reprepro \
        createrepo-c \
        # gcc for cross architecture compilation in arm
        gcc-aarch64-linux-gnu \
        libc6-dev-arm64-cross && \
    rm -rf /var/lib/apt/lists/* && \
    # Install wixl
    curl -o /usr/local/bin/wixl -L https://pkg.cloudflare.com/binaries/wixl && \
--- a/.ci/linux.gitlab-ci.yml
+++ b/.ci/linux.gitlab-ci.yml
@ -5,21 +5,8 @@
  runner: linux-x86-8cpu-16gb
  stage: build
  golangVersion: "boring-1.24"
  imageVersion: "3371-f5539bd6f83d@sha256:a2a68f580070f9411d0d3155959ed63b700ef319b5fcc62db340e92227bbc628"
  CGO_ENABLED: 1
 .default-packaging-job: &packaging-job-defaults
  stage: package
  needs:
    - ci-image-get-image-ref
  rules:
    - !reference [.default-rules, run-on-master]
  image: $BUILD_IMAGE
  cache: {}
  artifacts:
    paths:
      - artifacts/*
 include:
  ###################
  ### Linux Build ###
@ -29,6 +16,7 @@ include:
      <<: *golang_inputs
      jobPrefix: linux-build
      GOLANG_MAKE_TARGET: ci-build
      imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a"
  ########################
  ### Linux FIPS Build ###
@ -38,6 +26,8 @@ include:
      <<: *golang_inputs
      jobPrefix: linux-fips-build
      GOLANG_MAKE_TARGET: ci-fips-build
      imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a"
  #################
  ### Unit Tests ##
@ -48,6 +38,8 @@ include:
      stage: test
      jobPrefix: test
      GOLANG_MAKE_TARGET: ci-test
      imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a"
  ######################
  ### Unit Tests FIPS ##
@ -58,6 +50,8 @@ include:
      stage: test
      jobPrefix: test-fips
      GOLANG_MAKE_TARGET: ci-fips-test
      imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a"
  #################
  ### Vuln Check ##
@ -69,11 +63,13 @@ include:
      stage: validate
      jobPrefix: vulncheck
      GOLANG_MAKE_TARGET: vulncheck
      imageVersion: "3308-283bdf9@sha256:fcd83570c91565a72eab132c38e0f589a481e2f3d4f3779f9f9a93eb555fee4a"
 #################################
 ### Run Linux Component Tests ###
 #################################
-linux-component-tests: &linux-component-tests
+component-tests-linux: &component-tests-linux
  stage: test
  extends: .component-tests
  needs:
@ -83,7 +79,7 @@ linux-component-tests: &linux-component-tests
    - ./.ci/scripts/component-tests.sh
  variables: &component-tests-variables
    CI: 1
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZApjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
  tags:
    - linux-x86-8cpu-16gb
  artifacts:
@ -93,30 +89,11 @@ linux-component-tests: &linux-component-tests
 ######################################
 ### Run Linux FIPS Component Tests ###
 ######################################
-linux-component-tests-fips:
+component-tests-linux-fips:
-  <<: *linux-component-tests
+  <<: *component-tests-linux
  needs:
    - ci-image-get-image-ref
    - linux-fips-build-boring-make
  variables:
    <<: *component-tests-variables
    COMPONENT_TESTS_FIPS: 1
 ################################
 ####### Linux Packaging ########
 ################################
 linux-packaging:
  <<: *packaging-job-defaults
  parallel:
    matrix:
      - ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
  script:
    - ./.ci/scripts/linux/build-packages.sh ${ARCH}
 ################################
 ##### Linux FIPS Packaging #####
 ################################
 linux-packaging-fips:
  <<: *packaging-job-defaults
  script:
    - ./.ci/scripts/linux/build-packages-fips.sh
--- a/.ci/mac.gitlab-ci.yml
+++ b/.ci/mac.gitlab-ci.yml
@ -17,7 +17,7 @@ include:
 ######################################
 ### Build Cloudflared Mac Binaries ###
 ######################################
-macos-build-cloudflared: &mac-build
+build-cloudflared-macos: &build-mac
  <<: *mac-build-defaults
  stage: build
  artifacts:
@ -38,8 +38,8 @@ macos-build-cloudflared: &mac-build
 ###############################################
 ### Build and Sign Cloudflared Mac Binaries ###
 ###############################################
-macos-build-and-sign-cloudflared:
+build-and-sign-cloudflared-macos:
-  <<: *mac-build
+  <<: *build-mac
  rules:
    - !reference [.default-rules, run-on-master]
  secrets:
--- a/.ci/release.gitlab-ci.yml
+++ b/.ci/release.gitlab-ci.yml
@ -1,48 +1,26 @@
 include:
  - local: .ci/commons.gitlab-ci.yml
-  ######################################
+###########################################
-  ### Build and Push DockerHub Image ###
+### Push Cloudflared Binaries to Github ###
-  ######################################
+###########################################
-  - component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
+release-cloudflared-to-github:
    inputs:
      stage: release
      jobPrefix: docker-hub
      runOnMR: false
      runOnBranches: '^master$'
      runOnChangesTo: ['RELEASE_NOTES']
      needs:
        - generate-version-file
        - release-cloudflared-to-r2
      commentImageRefs: false
      runner: vm-linux-x86-4cpu-8gb
      # Based on if the CI reference is protected or not the CI component will
      # either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
      # we simply set both to the same value.
      DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
      DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
      DOCKER_USER_PROD: *docker-hub-user
      DOCKER_PASSWORD_PROD: *docker-hub-password
      EXTRA_DIB_ARGS: --overwrite
 .default-release-job: &release-job-defaults
  stage: release
  image: $BUILD_IMAGE
  extends: .check-tag
  needs:
    - ci-image-get-image-ref
    - package-windows
    - build-and-sign-cloudflared-macos
  rules:
    - !reference [.default-rules, run-on-master]
  cache:
    paths:
      - .cache/pip
-  variables: &release-job-variables
+  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    # KV Vars
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
-    KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
+    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
    # R2 Vars
    R2_BUCKET: cloudflared-pkgs
    R2_ACCOUNT_ID: *cf-account
    # APT and RPM Repository Vars
    GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://pkg.cloudflare.com/cloudflared"
    BINARY_NAME: cloudflared
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
@ -50,84 +28,12 @@ include:
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
    R2_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
      file: false
    R2_CLIENT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
      file: false
    LINUX_SIGNING_PUBLIC_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
      file: false
    LINUX_SIGNING_PRIVATE_KEY_2:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
      file: false
 ###########################################
 ### Push Cloudflared Binaries to Github ###
 ###########################################
 release-cloudflared-to-github:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging
    - linux-packaging-fips
    - macos-build-and-sign-cloudflared
    - windows-package-sign
  script:
-    - ./.ci/scripts/release-target.sh github-release
+    - python3 --version ; pip --version  # For debugging
-
+    - python3 -m venv venv
-#########################################
+    - source venv/bin/activate
-### Upload Cloudflared Binaries to R2 ###
+    - pip install pynacl==1.4.0 pygithub==1.55
-#########################################
+    - echo $VERSION
-release-cloudflared-to-r2:
+    - echo $TAG_EXISTS
-  <<: *release-job-defaults
+    - echo "Running release because tag exists."
-  rules:
+    - make gitlab-release
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
    - release-cloudflared-to-github
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #################################################
 ### Upload Cloudflared Nightly Binaries to R2 ###
 #################################################
 release-cloudflared-nightly-to-r2:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  variables:
    <<: *release-job-variables
    R2_BUCKET: cloudflared-pkgs-next
    GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
    PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
  needs:
    - ci-image-get-image-ref
    - linux-packaging # We only release non-FIPS binaries to R2
  script:
    - ./.ci/scripts/release-target.sh r2-linux-release
 #############################
 ### Generate Version File ###
 #############################
 generate-version-file:
  <<: *release-job-defaults
  rules:
    - !reference [.default-rules, run-on-release]
  needs:
    - ci-image-get-image-ref
  script:
    - make generate-docker-version
  artifacts:
    paths:
      - versions
--- a/.ci/scripts/linux/build-packages.sh
+++ b/.ci/scripts/linux/build-packages.sh
@ -1,59 +0,0 @@
 #!/bin/bash
 # Check if architecture argument is provided
 if [ $# -eq 0 ]; then
    echo "Error: Architecture argument is required"
    echo "Usage: $0 <architecture>"
    exit 1
 fi
 # Parameters
 arch=$1
 # Get Version
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 export TARGET_OS=linux
 unset TARGET_ARM
 export TARGET_ARCH=$arch
 ## Support for arm platforms without hardware FPU enabled
 if [[ $arch == arm ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=5
 fi
 ## Support for armhf builds
 if [[ $arch == armhf ]] ; then
    export TARGET_ARCH=arm
    export TARGET_ARM=7
 fi
 make cloudflared-deb
 mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH=$arch
 if [ $arch == "amd64" ];then
    RPMARCH="x86_64"
 fi
 if [ $arch == "arm64" ]; then
    RPMARCH="aarch64"
 fi
 make cloudflared-rpm
 mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
--- a/.ci/scripts/release-target.sh
+++ b/.ci/scripts/release-target.sh
@ -1,18 +0,0 @@
 #!/bin/bash
 set -e -o pipefail
 # Check if a make target is provided as an argument
 if [ $# -eq 0 ]; then
    echo "Error: Make target argument is required"
    echo "Usage: $0 <make-target>"
    exit 1
 fi
 MAKE_TARGET=$1
 python3 -m venv venv
 source venv/bin/activate
 # Our release scripts are written in python, so we should install their dependecies here.
 pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
 make $MAKE_TARGET
--- a/.ci/scripts/windows/builds.ps1
+++ b/.ci/scripts/windows/builds.ps1
@ -4,7 +4,6 @@ $ProgressPreference = "SilentlyContinue"
 $env:TARGET_OS = "windows"
 $env:LOCAL_OS = "windows"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 New-Item -Path ".\artifacts" -ItemType Directory
@ -14,8 +13,6 @@ $env:LOCAL_ARCH = "amd64"
 $env:CGO_ENABLED = 1
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 # Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
@ -24,6 +21,4 @@ $env:LOCAL_ARCH = "386"
 $env:CGO_ENABLED = 0
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 ## Sign build
 azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
 copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe
--- a/.ci/scripts/windows/sign-msi.ps1
+++ b/.ci/scripts/windows/sign-msi.ps1
@ -1,26 +0,0 @@
 # Sign Windows artifacts using azuretool
 # This script processes MSI files from the artifacts directory
 $ErrorActionPreference = "Stop"
 # Define paths
 $ARTIFACT_DIR = "artifacts"
 $TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
 Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
 # Find all Windows MSI files
 $msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
 if ($msiFiles.Count -eq 0) {
    Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
    exit 1
 }
 Write-Host "Found $($msiFiles.Count) file(s) to sign:"
 foreach ($file in $msiFiles) {
    Write-Host "Running azuretool sign for $($file.Name)"
    azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
 }
 Write-Host "Signing process completed"
--- a/.ci/windows.gitlab-ci.yml
+++ b/.ci/windows.gitlab-ci.yml
@ -14,7 +14,7 @@ include:
 ##########################################
 ### Build Cloudflared Windows Binaries ###
 ##########################################
-windows-build-cloudflared:
+build-cloudflared-windows:
  <<: *windows-build-defaults
  stage: build
  script:
@ -26,7 +26,7 @@ windows-build-cloudflared:
 ######################################################
 ### Load Environment Variables for Component Tests ###
 ######################################################
-windows-load-env-variables:
+load-windows-env-variables:
  stage: pre-build
  extends: .component-tests
  script:
@ -35,29 +35,8 @@ windows-load-env-variables:
    - echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
    # We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
    - echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
    - echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
    - echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
    - echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
    - echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
    - echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
  variables:
-    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
+    COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
  secrets:
    KEY_VAULT_URL:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
      file: false
    KEY_VAULT_CLIENT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
      file: false
    KEY_VAULT_TENANT_ID:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
      file: false
    KEY_VAULT_SECRET:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
      file: false
    KEY_VAULT_CERTIFICATE:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
      file: false
  artifacts:
    access: 'none'
    reports:
@ -66,12 +45,12 @@ windows-load-env-variables:
 ###################################
 ### Run Windows Component Tests ###
 ###################################
-windows-component-tests-cloudflared:
+component-tests-cloudflared-windows:
  <<: *windows-build-defaults
  stage: test
-  needs: ["windows-load-env-variables"]
+  needs: ["load-windows-env-variables"]
  script:
-    # We have to decode the secret we encoded on the `windows-load-env-variables` job
+    # We have to decode the secret we encoded on the `load-windows-env-variables` job
    - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
  artifacts:
@ -81,13 +60,13 @@ windows-component-tests-cloudflared:
 ################################
 ### Package Windows Binaries ###
 ################################
-windows-package:
+package-windows:
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - ci-image-get-image-ref
-    - windows-build-cloudflared
+    - build-cloudflared-windows
  image: $BUILD_IMAGE
  script:
    - .ci/scripts/package-windows.sh
@ -95,20 +74,3 @@ windows-package:
  artifacts:
    paths:
      - artifacts/*
 #############################
 ### Sign Windows Binaries ###
 #############################
 windows-package-sign:
  <<: *windows-build-defaults
  rules:
    - !reference [.default-rules, run-on-master]
  stage: package
  needs:
    - windows-package
    - windows-load-env-variables
  script:
    - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
  artifacts:
    paths:
      - artifacts/*
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,5 +1,5 @@
 variables:
-  GO_VERSION: "go1.24.9"
+  GO_VERSION: "go1.24.6"
  GIT_DEPTH: "0"
 default:
@ -7,7 +7,7 @@ default:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org
-stages: [sync, pre-build, build, validate, test, package, release, release-internal, review]
+stages: [sync, pre-build, build, validate, test, package, release]
 include:
  #####################################################
@ -44,15 +44,3 @@ include:
  ################# Release Packages ##################
  #####################################################
  - local: .ci/release.gitlab-ci.yml
  #####################################################
  ########## Release Packages Internally ##############
  #####################################################
  - local: .ci/apt-internal.gitlab-ci.yml
  #####################################################
  ############## Manual Claude Review #################
  #####################################################
  - component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest
    inputs:
      whenToRun: "manual"
--- a/2
+++ b/2
@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.24.9 AS builder
+FROM golang:1.24.4 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  TARGET_GOOS=${TARGET_GOOS} \
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.9 AS builder
+FROM golang:1.24.4 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -1,5 +1,5 @@
 # use a builder image for building cloudflare
-FROM golang:1.24.9 AS builder
+FROM golang:1.24.4 AS builder
 ENV GO111MODULE=on \
  CGO_ENABLED=0 \
  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
--- a/10
+++ b/10
@ -221,6 +221,10 @@ cloudflared-deb: cloudflared cloudflared.1
 cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 .PHONY: cloudflared-pkg
 cloudflared-pkg: cloudflared cloudflared.1
 	$(call build_package,osxpkg)
 .PHONY: cloudflared-msi
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -231,9 +235,13 @@ github-release-dryrun:
 .PHONY: github-release
 github-release:
-	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: gitlab-release
 gitlab-release:
 	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
--- a/README.md
+++ b/README.md
@ -3,14 +3,14 @@
 Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
-Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
 You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/warp/)
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,41 +19,41 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
-1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/)
+1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
-2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/)
+2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
-* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
 * To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`.
-User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
 * Route traffic to that Tunnel:
-  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/)
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
-  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
-  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
 ## TryCloudflare
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
 ## Deprecated versions
-Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/).
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
--- a/23
+++ b/23
@ -1,26 +1,3 @@
 2025.11.1
 - 2025-11-07 TUN-9800: Fix docker hub push step
 2025.11.0
 - 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
 - 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
 - 2025-11-04 chore: Update cloudflared signing key name in index.html
 - 2025-10-31 chore: add claude review
 - 2025-10-31 Chore: Update documentation links in README
 - 2025-10-31 TUN-9800: Add pipelines for linux packaging
 2025.10.1
 - 2025-10-30 chore: Update ci image to use goboring 1.24.9
 - 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
 - 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
 - 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
 - 2025-10-23 Fix systemd service installation hanging
 - 2025-10-21 TUN-9941: Use new GPG key for RPM builds
 - 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
 - 2025-10-21 TUN-9941: Lookup correct key for RPM signature
 - 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
 - 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
 2025.10.0
 - 2025-10-14 chore: Fix upload of RPM repo file during double signing
 - 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
--- a/.ci/scripts/linux/build-packages-fips.sh
+++ b/.ci/scripts/linux/build-packages-fips.sh
--- a/build-packages.sh
+++ b/build-packages.sh
@ -0,0 +1,48 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,2 +1,243 @@
-# A valid cfsetup.yaml is required but we dont have any real config to specify
+pinned_go: &pinned_go go-boring=1.24.4-1
-dummy_key: true
+
 build_dir: &build_dir /cfsetup_build
 default-flavor: bookworm
 bookworm: &bookworm
  build-linux:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - golangci-lint=1.64.8-2
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@v0.30.0
    post-cache:
      # Linting
      - make lint
      - make fmt-check
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - make cover
  # except FIPS and macos
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . /cfsetup_build/env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      # - export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service
      # because the init script uses ps pid to determine if the agent is
      # running
      - procps
      - python3-venv
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: &component_test_post_cache
      - python3 -m venv env
      - . env/bin/activate
      - pip install --upgrade -r component-tests/requirements.txt
      # Creates and routes a Named Tunnel for this build. Also constructs
      # config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    post-cache: *component_test_post_cache
  github-release-dryrun:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release-dryrun
  github-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps: &r2-linux-release-deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo-c
      - python3-venv
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      - make r2-linux-release
  r2-next-linux-release:
    build_dir: *build_dir
    builddeps: *r2-linux-release-deps
    post-cache:
      - python3 -m venv env
      - . env/bin/activate
      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
      - make r2-next-linux-release
 trixie: *bookworm
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -60,7 +60,7 @@ After=network-online.target
 Wants=network-online.target
 [Service]
-TimeoutStartSec=15
+TimeoutStartSec=0
 Type=notify
 ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
--- a/component-tests/test_management.py
+++ b/component-tests/test_management.py
@ -107,13 +107,7 @@ class TestManagement:
            assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
 def send_request(url, headers={}):
    with requests.Session() as s:
-        resp = s.get(url, timeout=BACKOFF_SECS, headers=headers)
+        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
        if resp.status_code == 530:
            LOGGER.debug(f"Received 530 status, retrying request to {url}")
            raise Exception(f"Received 530 status code from {url}")
        return resp
--- a/component-tests/test_tunnel.py
+++ b/component-tests/test_tunnel.py
@ -33,20 +33,13 @@ class TestTunnel:
        LOGGER.debug(config)
        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"],  cfd_args=["run"], new_process=True):
            wait_tunnel_ready(require_min_connections=1)
-            expected_status_code = 503
+            resp = send_request(config.get_url()+"/")
-            resp = send_request(config.get_url()+"/", expected_status_code)
+            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
-            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
+            resp = send_request(config.get_url()+"/test")
-            resp = send_request(config.get_url()+"/test", expected_status_code)
+            assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
            assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
 def retry_if_result_none(result):
    '''
    Returns True if the result is None, indicating that the function should be retried.
    '''
    return result is None
-@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
+@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
-def send_request(url, expected_status_code=200):
+def send_request(url, headers={}):
    with requests.Session() as s:
-        resp = s.get(url, timeout=BACKOFF_SECS)
+        return s.get(url, timeout=BACKOFF_SECS, headers=headers)
        return resp if resp.status_code == expected_status_code else None
--- a/connection/header.go
+++ b/connection/header.go
@ -53,8 +53,7 @@ var headerEncoding = base64.RawStdEncoding
 func IsControlResponseHeader(headerName string) bool {
 	return strings.HasPrefix(headerName, ":") ||
 		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-") ||
+		strings.HasPrefix(headerName, "cf-cloudflared-")
 		strings.HasPrefix(headerName, "cf-proxy-")
 }
 // isWebsocketClientHeader returns true if the header name is required by the client to upgrade properly
--- a/connection/header_test.go
+++ b/connection/header_test.go
@ -1,17 +1,18 @@
 package connection
 import (
 	"fmt"
 	"net/http"
 	"reflect"
 	"sort"
 	"testing"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 )
 func TestSerializeHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	mockHeaders := http.Header{
 		"Mock-Header-One":        {"Mock header one value", "three"},
@ -38,22 +39,22 @@ func TestSerializeHeaders(t *testing.T) {
 	serializedHeaders := SerializeHeaders(request.Header)
 	// Sanity check: the headers serialized to something that's not an empty string
-	require.NotEqual(t, "", serializedHeaders)
+	assert.NotEqual(t, "", serializedHeaders)
 	// Deserialize back, and ensure we get the same set of headers
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	require.NoError(t, err)
+	assert.NoError(t, err)
-	require.Len(t, deserializedHeaders, 13)
+	assert.Equal(t, 13, len(deserializedHeaders))
 	expectedHeaders := headerToReqHeader(mockHeaders)
 	sort.Sort(ByName(deserializedHeaders))
 	sort.Sort(ByName(expectedHeaders))
-	require.True(
+	assert.True(
 		t,
 		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
-		"got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders,
+		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
 	)
 }
@ -81,12 +82,12 @@ func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	require.NoError(t, err)
+	assert.NoError(t, err)
 	serializedHeaders := SerializeHeaders(request.Header)
 	deserializedHeaders, err := DeserializeHeaders(serializedHeaders)
-	require.NoError(t, err)
+	assert.NoError(t, err)
-	require.Empty(t, deserializedHeaders)
+	assert.Equal(t, 0, len(deserializedHeaders))
 }
 func TestDeserializeMalformed(t *testing.T) {
@ -101,22 +102,21 @@ func TestDeserializeMalformed(t *testing.T) {
 	for _, malformedValue := range malformedData {
 		_, err = DeserializeHeaders(malformedValue)
-		require.Error(t, err)
+		assert.Error(t, err)
 	}
 }
 func TestIsControlResponseHeader(t *testing.T) {
 	controlResponseHeaders := []string{
-		// Anything that begins with cf-int-, cf-cloudflared- or cf-proxy-
+		// Anything that begins with cf-int- or cf-cloudflared-
 		"cf-int-sample-header",
 		"cf-cloudflared-sample-header",
 		"cf-proxy-sample-header",
 		// Any http2 pseudoheader
 		":sample-pseudo-header",
 	}
 	for _, header := range controlResponseHeaders {
-		require.True(t, IsControlResponseHeader(header))
+		assert.True(t, IsControlResponseHeader(header))
 	}
 }
@ -130,6 +130,6 @@ func TestIsNotControlResponseHeader(t *testing.T) {
 	}
 	for _, header := range notControlResponseHeaders {
-		require.False(t, IsControlResponseHeader(header))
+		assert.False(t, IsControlResponseHeader(header))
 	}
 }
--- a/postinst.sh
+++ b/postinst.sh
@ -1,5 +1,5 @@
 #!/bin/bash
 set -eu
-ln -sf /usr/bin/cloudflared /usr/local/bin/cloudflared
+ln -s /usr/bin/cloudflared /usr/local/bin/cloudflared
 mkdir -p /usr/local/etc/cloudflared/
 touch /usr/local/etc/cloudflared/.installedFromPackageManager || true
--- a/release/index.html
+++ b/release/index.html
@ -1,212 +0,0 @@
 <!-- TODO(TUN-9963): Create pipeline to push this file to repo automatically -->
 <html>
 <body>
 <h1>Cloudflare packages</h1>
 <ul>
    <li><a href="#cloudflared-packages">Cloudflared packages</a></li>
    <li><a href="#gokeyless-packages">Gokeyless Packages</a></li>
 </ul>
 <br>
 <h2><a name="cloudflared-packages">Cloudflared</a></h2>
 <ul>
    <li><a href="#debian-any">Any Debian Based Distribution (Recommended)</a></li>
    <li><a href="#debian-bookworm">Debian Bookworm</a></li>
    <li><a href="#ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></li>
    <li><a href="#ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></li>
    <li><a href="#ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></li>
    <li><a href="#Amazon-Linux">Amazon Linux</a></li>
    <li><a href="#RHEL-generic">RHEL Generic</a></li>
    <li><a href="#centos-7">Centos 7</a></li>
    <li><a href="#centos-8">Centos 8</a></li>
    <li><a href="#centos-stream">Centos Stream</a></li>
 </ul>
 <h3 style="color: #d9534f;">Warning: Public Key Rollover (30 October 2025)</h3>
 <p style="background-color: #fff3cd; border-left: 4px solid #ffc107; padding: 10px; margin: 10px 0;">
    <strong>We have rolled our public key for package signing.</strong> If you are using RPM-based distributions (RHEL,
    CentOS, Amazon Linux, etc.) or Debian Trixie and have the old key installed, RPM/Deb packages will no longer work with the old key.
    Please update your repository configuration using the instructions below to ensure you can continue receiving
    package updates. The previous keys will still work for other distributions for the time being, but it is now DEPRECATED and will be removed on 30 April 2026
 </p>
 <h3><a name="debian-any">Any Debian Based Distribution (Recommended)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared any main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="debian-bookworm">Debian Bookworm</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared bookworm main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-focal">Ubuntu 20.04 (Focal Fossa)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared focal main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-jammy">Ubuntu 22.04 (Jammy Jellyfish)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared jammy main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="ubuntu-noble">Ubuntu 24.04 (Noble Numbat)</a></h3>
 <pre>
 # Add cloudflare gpg key
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 # Stable
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # Nightly
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://next.pkg.cloudflare.com/cloudflared noble main' | sudo tee /etc/apt/sources.list.d/cloudflared.list
 # install cloudflared
 sudo apt-get update && sudo apt-get install cloudflared
 </pre>
 <h3><a name="Amazon-Linux">Amazon Linux</a></h3>
 <pre>
 # Add cloudflared.repo to /etc/yum.repos.d/
 # Stable
 curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 # Nightly
 curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 #update repo
 sudo yum update
 # install cloudflared
 sudo yum install cloudflared
 </pre>
 <h3><a name="RHEL-generic">RHEL Generic</a></h3>
 <pre>
 # Add cloudflared.repo to /etc/yum.repos.d/
 # Stable
 curl -fsSl https://pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 # Nightly
 curl -fsSl https://next.pkg.cloudflare.com/cloudflared.repo | sudo tee /etc/yum.repos.d/cloudflared.repo
 #update repo
 sudo yum update
 # install cloudflared
 sudo yum install cloudflared
 </pre>
 <h3><a name="centos-7">Centos 7</a></h3>
 <pre>
 # This requires yum config-manager
 sudo yum install yum-utils
 # Add cloudflared.repo to config-manager
 # Stable
 sudo yum-config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo yum-config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 yum install cloudflared
 </pre>
 <h3><a name="centos-8">Centos 8</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add cloudflared.repo to config-manager
 # Stable
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 sudo dnf install cloudflared
 </pre>
 <h3><a name="centos-stream">Centos Stream</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add cloudflared.repo to config-manager
 # Stable
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/cloudflared.repo
 # Nightly
 sudo dnf config-manager --add-repo https://next.pkg.cloudflare.com/cloudflared.repo
 # install cloudflared
 sudo dnf install cloudflared
 </pre>
 <h2><a name="gokeyless-packages"></a>Gokeyless</a></h2>
 <h3><a name="go-keyless-debian">Debian</a></h3>
 <pre>
 sudo mkdir -p --mode=0755 /usr/share/keyrings
 curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
 # Add this repo to your apt repositories
 echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list
 # install gokeyless
 sudo apt-get update && sudo apt-get install gokeyless
 </pre>
 <h3><a name="go-keyless-centos">Centos 8</a></h3>
 <pre>
 # This requires dnf config-manager
 # Add gokeyless.repo to config-manager
 sudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo
 # install gokeyless
 sudo dnf install gokeyless
 </pre>
 </body>
 </html>
--- a/release_pkgs.py
+++ b/release_pkgs.py
@ -260,7 +260,7 @@ def upload_from_directories(pkg_uploader, directory, release, binary):
 """ 
-    1. looks into a artifacts folder for cloudflared debs
+    1. looks into a built_artifacts folder for cloudflared debs
    2. creates Packages.gz, InRelease (signed) files
    3. uploads them to Cloudflare R2 
@ -294,7 +294,7 @@ def create_deb_packaging(pkg_creator, pkg_uploader, releases, primary_gpg_key_id
    for release in releases:
        for arch in archs:
            print(f"creating deb pkgs for {release} and {arch}...")
-            pkg_creator.create_deb_pkgs(release, f"./artifacts/cloudflared-linux-{arch}.deb")
+            pkg_creator.create_deb_pkgs(release, f"./built_artifacts/cloudflared-linux-{arch}.deb")
    print("uploading latest to r2...")
    upload_from_directories(pkg_uploader, "dists", None, binary_name)
@ -381,6 +381,10 @@ def parse_args():
            downloaders can use to verify signing"
    )
    parser.add_argument(
        "--gpg-public-key-url-2", default=os.environ.get("GPG_PUBLIC_KEY_URL_2"), help="Secondary GPG public key url for rollover"
    )
    parser.add_argument(
        "--pkg-upload-url", default=os.environ.get("PKG_URL"), help="URL to be used by downloaders"
    )
@ -426,17 +430,11 @@ if __name__ == "__main__":
    secondary_gpg_key_name = None
    if len(key_results) > 1:
        secondary_gpg_key_id, secondary_gpg_key_name = key_results[1]
-
+    # Import RPM public keys (one or two)
-    if args.gpg_private_key_2:
+    pkg_creator.import_rpm_key(args.gpg_public_key)
        print(f"signing RPM with secondary gpg_key: {secondary_gpg_key_id}")
        pkg_creator.import_rpm_key(args.gpg_public_key_2)
    else:
        print(f"signing RPM with primary gpg_key: {primary_gpg_key_name}")
        pkg_creator.import_rpm_key(args.gpg_public_key)
    pkg_uploader = PkgUploader(args.account, args.bucket, args.id, args.secret)
-    print(f"signing deb with primary gpg_key: {primary_gpg_key_id} and secondary gpg_key: {secondary_gpg_key_id}")
+    print(f"signing with primary gpg_key: {primary_gpg_key_id} and secondary gpg_key: {secondary_gpg_key_id}")
    create_deb_packaging(
        pkg_creator,
        pkg_uploader,
@ -452,10 +450,10 @@ if __name__ == "__main__":
    create_rpm_packaging(
        pkg_creator,
        pkg_uploader,
-        "./artifacts",
+        "./built_artifacts",
        args.release_tag,
        args.binary,
-        secondary_gpg_key_name,
+        primary_gpg_key_name,
        args.pkg_upload_url,
        args.gpg_public_key_url,
        args.upload_repo_file,