From 5727ccf39ee9fcdf5aa47d5fee77bdac05984428 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 11:26:52 -0700 Subject: [PATCH] fix: drop broken jsign --info verify step in release jsign 7.1 signs guruconnect.exe successfully via Azure Trusted Signing, but the separate verify step called `jsign --info` (not a real jsign subcommand) and wrongly failed the job. jsign's non-zero exit under `set -euo pipefail` already gates signing fail-closed. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/release.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index c320870..0a2f687 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -430,21 +430,10 @@ jobs: --url "https://www.azcomputerguru.com" \ --replace \ guruconnect.exe - echo "[OK] Signing command completed" - - - name: Verify signature present (fail release if unsigned) - run: | - set -euo pipefail - echo "[INFO] Verifying Authenticode signature is present" - # jsign's --info on a signed PE lists the signature(s); fail if none reported. - OUT="$(java -jar /tmp/jsign.jar --info guruconnect.exe 2>&1 || true)" - echo "$OUT" - if echo "$OUT" | grep -qiE 'signature|signer|signed'; then - echo "[OK] Signature present" - else - echo "[ERROR] No signature detected on guruconnect.exe - refusing to publish unsigned binary" - exit 1 - fi + echo "[OK] guruconnect.exe signed via Azure Trusted Signing" + # Fail-closed: this step uses `set -euo pipefail` and jsign exits non-zero if signing + # fails, so reaching this line guarantees the binary was signed. jsign has no `--info` + # subcommand, so do NOT add a separate jsign-based verify step (that was the bug). - name: Compute SHA-256 of signed binary id: sha