@@ -490,22 +490,6 @@ jobs:
490490 path : |
491491 src-tauri/target/x86_64-pc-windows-msvc/release/bundle/msi/*.msi
492492 src-tauri/target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe
493-
494- # Upload Tauri updater signatures directly (not for Windows code signing)
495- - name : Upload Tauri updater signatures to GitHub Release
496- uses : ncipollo/release-action@v1
497- with :
498- tag : ${{ needs.create-release.outputs.release_tag }}
499- name : " Armbian Imager ${{ needs.create-release.outputs.release_tag }}"
500- draft : true
501- prerelease : false
502- allowUpdates : true
503- omitBodyDuringUpdate : true
504- omitNameDuringUpdate : true
505- replacesArtifacts : false
506- artifacts : |
507- src-tauri/target/x86_64-pc-windows-msvc/release/bundle/nsis/*.exe.sig
508-
509493outputs :
510494 artifact-id : ${{ steps.upload-unsigned.outputs.artifact-id }}
511495
@@ -591,22 +575,6 @@ jobs:
591575 path : |
592576 src-tauri/target/aarch64-pc-windows-msvc/release/bundle/msi/*.msi
593577 src-tauri/target/aarch64-pc-windows-msvc/release/bundle/nsis/*.exe
594-
595- # Upload Tauri updater signatures directly (not for Windows code signing)
596- - name : Upload Tauri updater signatures to GitHub Release
597- uses : ncipollo/release-action@v1
598- with :
599- tag : ${{ needs.create-release.outputs.release_tag }}
600- name : " Armbian Imager ${{ needs.create-release.outputs.release_tag }}"
601- draft : true
602- prerelease : false
603- allowUpdates : true
604- omitBodyDuringUpdate : true
605- omitNameDuringUpdate : true
606- replacesArtifacts : false
607- artifacts : |
608- src-tauri/target/aarch64-pc-windows-msvc/release/bundle/nsis/*.exe.sig
609-
610578outputs :
611579 artifact-id : ${{ steps.upload-unsigned.outputs.artifact-id }}
612580
@@ -685,13 +653,101 @@ jobs:
685653 signed-arm64/**/*.msi
686654 signed-arm64/**/*.exe
687655
656+ # Upload signed artifacts for signature regeneration job
657+ - name : Upload signed x64 artifacts
658+ if : needs.build-windows-x64.result == 'success'
659+ uses : actions/upload-artifact@v4
660+ with :
661+ name : signed-x64
662+ path : signed-x64/
663+ retention-days : 1
664+
665+ - name : Upload signed ARM64 artifacts
666+ if : needs.build-windows-arm64.result == 'success'
667+ uses : actions/upload-artifact@v4
668+ with :
669+ name : signed-arm64
670+ path : signed-arm64/
671+ retention-days : 1
672+
673+ regenerate-updater-signatures :
674+ name : Regenerate updater signatures after code signing
675+ needs :
676+ - create-release
677+ - sign-windows
678+ if : |
679+ always() &&
680+ needs.sign-windows.result == 'success'
681+ runs-on : ubuntu-latest
682+ permissions :
683+ contents : write
684+ actions : read
685+ steps :
686+ - uses : actions/checkout@v4
687+
688+ - name : Setup Rust
689+ uses : dtolnay/rust-toolchain@stable
690+
691+ - name : Download signed x64 artifacts
692+ uses : actions/download-artifact@v4
693+ with :
694+ name : signed-x64
695+ path : signed-x64
696+
697+ - name : Download signed ARM64 artifacts
698+ uses : actions/download-artifact@v4
699+ with :
700+ name : signed-arm64
701+ path : signed-arm64
702+
703+ - name : Cache cargo bin (tauri-cli)
704+ uses : actions/cache@v4
705+ with :
706+ path : ~/.cargo/bin
707+ key : cargo-bin-${{ runner.os }}-${{ runner.arch }}-stable-${{ env.TAURI_CLI_VERSION }}-${{ hashFiles('**/Cargo.lock') }}
708+
709+ - name : Install Tauri CLI
710+ run : cargo install tauri-cli --version "${TAURI_CLI_VERSION}" --locked
711+
712+ - name : Re-sign x64 executable
713+ env :
714+ TAURI_SIGNING_PRIVATE_KEY : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
715+ TAURI_SIGNING_PRIVATE_KEY_PASSWORD : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
716+ run : |
717+ EXE_FILE=$(find signed-x64 -name "*.exe" -type f | head -n 1)
718+ if [[ -n "$EXE_FILE" ]]; then
719+ cargo tauri signer sign -k "$TAURI_SIGNING_PRIVATE_KEY" -p "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" "$EXE_FILE"
720+ fi
721+
722+ name : Re-sign ARM64 executable
723+ env :
724+ TAURI_SIGNING_PRIVATE_KEY : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
725+ TAURI_SIGNING_PRIVATE_KEY_PASSWORD : ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
726+ run : |
727+ EXE_FILE=$(find signed-arm64 -name "*.exe" -type f | head -n 1)
728+ if [[ -n "$EXE_FILE" ]]; then
729+ cargo tauri signer sign -k "$TAURI_SIGNING_PRIVATE_KEY" -p "$TAURI_SIGNING_PRIVATE_KEY_PASSWORD" "$EXE_FILE"
730+ fi
731+
732+ name : Upload updated signatures to GitHub Release
733+ uses : ncipollo/release-action@v1
734+ with :
735+ tag : ${{ needs.create-release.outputs.release_tag }}
736+ allowUpdates : true
737+ omitBodyDuringUpdate : true
738+ omitNameDuringUpdate : true
739+ replacesArtifacts : false
740+ artifacts : |
741+ signed-x64/**/*.sig
742+ signed-arm64/**/*.sig
743+
688744generate-update-manifest :
689745 name : Generate latest.json for updater
690746 needs :
691747 - create-release
692748 - build-linux
693749 - build-macos
694- - sign-windows
750+ - regenerate-updater-signatures
695751 if : |
696752 always() &&
697753 (startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch') &&
@@ -806,7 +862,7 @@ jobs:
806862 - create-release
807863 - build-linux
808864 - build-macos
809- - sign-windows
865+ - regenerate-updater-signatures
810866 - generate-update-manifest
811867 if : |
812868 always() &&
0 commit comments