fix: compare signing keys by SPKI instead of PEM text

2026-06-22 09:14:25 +08:00 · 2026-04-20 09:15:08 +08:00
parent c5ef418bd9
commit 62e7d96fe7
1 changed files with 12 additions and 12 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -372,12 +372,12 @@ jobs:
          Set-Content -Path $publicKeyPath -Value $derivedPublicKey -NoNewline
          $repoPublicKeyPath = "LanMountainDesktop.Launcher/Assets/public-key.pem"
-          $repoPublicKey = (Get-Content -Path $repoPublicKeyPath -Raw)
+          $repoPublicKeyPem = Get-Content -Path $repoPublicKeyPath -Raw
-          $normalizePem = {
+          $repoRsa = [System.Security.Cryptography.RSA]::Create()
-            param([string]$pem)
+          $repoRsa.ImportFromPem($repoPublicKeyPem)
-            return (($pem -replace "`r`n", "`n" -replace "`r", "`n").Trim())
+          $repoSpki = [Convert]::ToBase64String($repoRsa.ExportSubjectPublicKeyInfo())
-          }
+          $derivedSpki = [Convert]::ToBase64String($rsa.ExportSubjectPublicKeyInfo())
-          if (& $normalizePem $repoPublicKey -ne (& $normalizePem $derivedPublicKey)) {
+          if ($repoSpki -ne $derivedSpki) {
            Write-Error "Configured signing private key does not match $repoPublicKeyPath. Keep keypair consistent before publishing."
            exit 1
          }
@@ -662,12 +662,12 @@ jobs:
          Set-Content -Path $publicKeyPath -Value $derivedPublicKey -NoNewline
          $repoPublicKeyPath = "LanMountainDesktop.Launcher/Assets/public-key.pem"
-          $repoPublicKey = (Get-Content -Path $repoPublicKeyPath -Raw)
+          $repoPublicKeyPem = Get-Content -Path $repoPublicKeyPath -Raw
-          $normalizePem = {
+          $repoRsa = [System.Security.Cryptography.RSA]::Create()
-            param([string]$pem)
+          $repoRsa.ImportFromPem($repoPublicKeyPem)
-            return (($pem -replace "`r`n", "`n" -replace "`r", "`n").Trim())
+          $repoSpki = [Convert]::ToBase64String($repoRsa.ExportSubjectPublicKeyInfo())
-          }
+          $derivedSpki = [Convert]::ToBase64String($rsa.ExportSubjectPublicKeyInfo())
-          if (& $normalizePem $repoPublicKey -ne (& $normalizePem $derivedPublicKey)) {
+          if ($repoSpki -ne $derivedSpki) {
            Write-Error "Configured signing private key does not match $repoPublicKeyPath. Keep keypair consistent before publishing."
            exit 1
          }