From 62e7d96fe73e36e8e4d52e3b7c7001b13e5e09a0 Mon Sep 17 00:00:00 2001
From: lincube <lincube3@hotmail.com>
Date: Mon, 20 Apr 2026 09:15:08 +0800
Subject: [PATCH] fix: compare signing keys by SPKI instead of PEM text

---
 .github/workflows/release.yml | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 725a662..7cd23b8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -372,12 +372,12 @@ jobs:
           Set-Content -Path $publicKeyPath -Value $derivedPublicKey -NoNewline
 
           $repoPublicKeyPath = "LanMountainDesktop.Launcher/Assets/public-key.pem"
-          $repoPublicKey = (Get-Content -Path $repoPublicKeyPath -Raw)
-          $normalizePem = {
-            param([string]$pem)
-            return (($pem -replace "`r`n", "`n" -replace "`r", "`n").Trim())
-          }
-          if (& $normalizePem $repoPublicKey -ne (& $normalizePem $derivedPublicKey)) {
+          $repoPublicKeyPem = Get-Content -Path $repoPublicKeyPath -Raw
+          $repoRsa = [System.Security.Cryptography.RSA]::Create()
+          $repoRsa.ImportFromPem($repoPublicKeyPem)
+          $repoSpki = [Convert]::ToBase64String($repoRsa.ExportSubjectPublicKeyInfo())
+          $derivedSpki = [Convert]::ToBase64String($rsa.ExportSubjectPublicKeyInfo())
+          if ($repoSpki -ne $derivedSpki) {
             Write-Error "Configured signing private key does not match $repoPublicKeyPath. Keep keypair consistent before publishing."
             exit 1
           }
@@ -662,12 +662,12 @@ jobs:
           Set-Content -Path $publicKeyPath -Value $derivedPublicKey -NoNewline
 
           $repoPublicKeyPath = "LanMountainDesktop.Launcher/Assets/public-key.pem"
-          $repoPublicKey = (Get-Content -Path $repoPublicKeyPath -Raw)
-          $normalizePem = {
-            param([string]$pem)
-            return (($pem -replace "`r`n", "`n" -replace "`r", "`n").Trim())
-          }
-          if (& $normalizePem $repoPublicKey -ne (& $normalizePem $derivedPublicKey)) {
+          $repoPublicKeyPem = Get-Content -Path $repoPublicKeyPath -Raw
+          $repoRsa = [System.Security.Cryptography.RSA]::Create()
+          $repoRsa.ImportFromPem($repoPublicKeyPem)
+          $repoSpki = [Convert]::ToBase64String($repoRsa.ExportSubjectPublicKeyInfo())
+          $derivedSpki = [Convert]::ToBase64String($rsa.ExportSubjectPublicKeyInfo())
+          if ($repoSpki -ne $derivedSpki) {
             Write-Error "Configured signing private key does not match $repoPublicKeyPath. Keep keypair consistent before publishing."
             exit 1
           }