@@ -162,50 +162,71 @@ jobs:
162162
163163name : Decode base64-encoded JKS
164164 run : |
165- echo "$env:JKS_B64" | Out-File -FilePath encoded.b64 -Encoding ASCII
166- certutil -decode encoded.b64 mykeystore.jks
167- Remove-Item encoded.b64
165+ # Restore JKS from secret
166+ [IO.File]::WriteAllBytes("signing.jks",[Convert]::FromBase64String($env:JKS_B64))
167+ if (-not (Test-Path "$PWD\signing.jks")) { throw "signing.jks not created" }
168+
169+ name : Verify JKS contains a PrivateKeyEntry
170+ shell : pwsh
171+ run : |
172+ if (-not $env:ALIAS) { throw "ALIAS secret is empty. It must point to the PrivateKeyEntry alias." }
173+ $out = & "${env:JAVA_HOME}\bin\keytool.exe" -list -v -keystore signing.jks -storepass $env:JKS_PASS
174+ # Show the entry for the alias (log masking will hide secrets)
175+ Write-Host $out | Select-String -Pattern "Alias name: $env:ALIAS" -Context 0,8
176+ # Hard-check the entry type for the alias
177+ $aliasBlock = ($out -split "Alias name:") | Where-Object { $_ -match "^\s*$($env:ALIAS)\b" }
178+ if (-not $aliasBlock) { throw "Alias '$env:ALIAS' not found in signing.jks" }
179+ if ($aliasBlock -notmatch "Entry type:\s*PrivateKeyEntry") {
180+ throw "Alias '$env:ALIAS' is not a PrivateKeyEntry (likely a trustedCertEntry). cannot export a private key from this JKS."
181+ }
168182
169183name : Convert JKS to PFX
170184 shell : pwsh
171185 run : |
172- & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
173- -srckeystore mykeystore.jks `
174- -srcstorepass $env:JKS_PASS `
175- -srcalias $env:ALIAS `
176- -srckeypass $env:JKS_PASS `
177- -destkeystore cert.pfx `
178- -deststoretype PKCS12 `
179- -deststorepass $env:PFX_PASS `
180- -destkeypass $env:PFX_PASS
186+ & "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
187+ -srckeystore "$PWD\signing.jks" `
188+ -srcstorepass $env:JKS_PASS `
189+ -srcalias $env:ALIAS `
190+ -srckeypass $env:JKS_PASS `
191+ -destkeystore "$PWD\cert.pfx" `
192+ -deststoretype PKCS12 `
193+ -deststorepass $env:PFX_PASS `
194+ -destkeypass $env:PFX_PASS
195+ if (-not (Test-Path "$PWD\cert.pfx")) { throw "cert.pfx not created" }
196+
197+ name : Prove PFX has a private key (fail fast)
198+ shell : pwsh
199+ run : |
200+ $dump = certutil -p $env:PFX_PASS -dump "$PWD\cert.pfx"
201+ if ($dump -notmatch 'Private key is present:\s*Yes') {
202+ Write-Host $dump
203+ throw "Exported PFX lacks a private key. Check alias/passwords; your JKS may be a truststore."
204+ }
181205
182206name : Inspect the PFX file
183207 shell : pwsh
184208 run : |
185209 certutil -p $env:PFX_PASS -dump cert.pfx
186210
211+
187212name : Sign Windows Executable
188213 shell : pwsh
189214 run : |
190- $exe = Get-ChildItem -Recurse extracted\Espressif-IDE\espressif-ide.exe | Select-Object -First 1
191- if (-not $exe) { throw "espressif-ide.exe not found under extracted\Espressif-IDE" }
192-
193- $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe |
194- Sort-Object FullName | Select-Object -First 1
195-
196- if (-not $signtool) { throw "signtool.exe not found in Windows Kits" }
197-
198- if (-not (Test-Path "$PWD\cert.pfx")) { throw "cert.pfx not found in $PWD" }
199-
200- & $signtool.FullName sign `
201- /debug `
202- /v `
203- /f cert.pfx `
204- /p $env:PFX_PASS `
205- /tr http://timestamp.digicert.com `
206- /td sha256 `
207- /fd sha256 `
208- "$($exe.FullName)"
215+ $exe = Get-ChildItem -File -Recurse "$PWD\extracted\Espressif-IDE\espressif-ide.exe" | Select-Object -First 1
216+ if (-not $exe) { throw "espressif-ide.exe not found under extracted\Espressif-IDE" }
217+
218+ $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe |
219+ Sort-Object FullName | Select-Object -First 1
220+ if (-not $signtool) { throw "signtool.exe not found in Windows Kits" }
221+
222+ & $signtool.FullName sign `
223+ /debug /v `
224+ /f "$PWD\cert.pfx" `
225+ /p $env:PFX_PASS `
226+ /tr http://timestamp.digicert.com `
227+ /td sha256 `
228+ /fd sha256 `
229+ "$($exe.FullName)"
209230
210231name : Verify Signature
211232 run : |
0 commit comments