From e7f38ce2a0f579697ea087700c0a4139b173b9c4 Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Fri, 29 May 2026 11:05:09 -0700
Subject: [PATCH] fix: use jsign 7.1 for Azure Trusted Signing

jsign 6.0 lacks the TRUSTEDSIGNING keystore type (only AZUREKEYVAULT); Azure Trusted
Signing support requires jsign >= 7.0. 7.1 matches /usr/share/jsign on the build host.
Fixes the release sign-and-publish step.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index dc15139..c320870 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -407,7 +407,9 @@ jobs:
           set -euo pipefail
           sudo apt-get update
           sudo apt-get install -y default-jre-headless
-          JSIGN_VERSION="6.0"
+          # jsign >= 7.0 is required for the TRUSTEDSIGNING (Azure Trusted Signing) storetype;
+          # 6.0 only supports AZUREKEYVAULT. 7.1 matches the version on the build host.
+          JSIGN_VERSION="7.1"
           curl -fsSL "https://github.com/ebourg/jsign/releases/download/${JSIGN_VERSION}/jsign-${JSIGN_VERSION}.jar" \
             -o /tmp/jsign.jar
           echo "[OK] Installed JRE and jsign ${JSIGN_VERSION}"