fix(sign-windows): pin SSD 2.9.14, dismiss version-check modal, add CI screenshots

Root cause: a 'Newer application version is available (2.9.14)' modal began popping in front of the login form between v0.14.1 and v0.15.0, stole focus from xdotool, and left the OAuth WebKit panel without cached credentials. Pin to 2.9.14-9.4.3.0, dismiss any future version-check modal defensively, and add a screenshot/window-enumeration loop with an if: failure() artifact upload so the next regression is visible instead of invisible.

Author: m3nu

.github/workflows/release.yml

@@ -380,6 +380,13 @@ jobs:
           scripts/windows-sign.sh dist/unsigned/*.exe
           rm -f "$ARCHIVE"
           cd dist && zip -j "$(basename "$ARCHIVE" .zip).zip" unsigned/*.exe && cd ..
+      - name: Upload sign-windows screenshots
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: sign-windows-screens
+          path: /tmp/sign-screens/
+          if-no-files-found: ignore
       - uses: actions/upload-artifact@v4
         if: env.HAS_SIGNING != ''
         with:

scripts/windows-sign.sh

@@ -32,20 +32,29 @@ for f in "$@"; do
     fi
 done
 
+dump_windows() {
+    echo "==> X11 windows snapshot:"
+    for wid in $(xdotool search --name "" 2>/dev/null); do
+        local name
+        name=$(xdotool getwindowname "$wid" 2>/dev/null || true)
+        [[ -n "$name" ]] && echo "    wid=$wid name='$name'"
+    done
+}
+
 # --- Install dependencies ---
 
 echo "==> Installing dependencies..."
 sudo apt-get update -qq
 sudo apt-get install -y -qq \
-    xvfb xdotool oathtool osslsigncode \
+    xvfb xdotool oathtool osslsigncode scrot \
     p11-kit opensc stalonetray \
     libpulse-mainloop-glib0 libxss1 libnss3 libxkbcommon0 \
     > /dev/null 2>&1
 echo "==> Dependencies installed"
 
 # --- Install SimplySign Desktop ---
 
-SSD_URL="https://files.certum.eu/software/SimplySignDesktop/Linux-Ubuntu/2.9.13-9.4.2.0/SimplySignDesktop-2.9.13-9.4.2.0-x86_64-prod-ubuntu.bin"
+SSD_URL="https://files.certum.eu/software/SimplySignDesktop/Linux-Ubuntu/2.9.14-9.4.3.0/SimplySignDesktop-2.9.14-9.4.3.0-x86_64-prod-ubuntu.bin"
 SSD_DIR="/opt/SimplySignDesktop"
 
 if [[ ! -d "$SSD_DIR" ]]; then
@@ -92,6 +101,14 @@ XVFB_PID=$!
 export DISPLAY=:99
 sleep 2
 
+mkdir -p /tmp/sign-screens
+( while true; do
+    scrot -o "/tmp/sign-screens/$(date +%s.%N).png" 2>/dev/null
+    sleep 2
+  done ) &
+SCROT_PID=$!
+trap "kill $SCROT_PID 2>/dev/null || true" EXIT
+
 stalonetray --geometry 1x1+0+0 --grow-gravity W &
 sleep 1
 
@@ -101,6 +118,20 @@ echo "==> Launching SimplySign Desktop..."
 "$SSD_EXE" &
 SSD_PID=$!
 sleep 8
+dump_windows
+
+# Dismiss "Newer application version is available" modal if it appeared.
+# It steals focus from the login form; if SSD ever falls behind Certum's
+# advertised version again we still want signing to proceed.
+VERSION_MODAL=$(xdotool search --name "Application version check" 2>/dev/null | head -1 || true)
+if [[ -n "$VERSION_MODAL" ]]; then
+    echo "==> Dismissing version-check modal (wid=$VERSION_MODAL)"
+    xdotool windowactivate --sync "$VERSION_MODAL" 2>/dev/null || true
+    sleep 0.5
+    xdotool key --window "$VERSION_MODAL" Escape
+    sleep 1
+    dump_windows
+fi
 
 echo "==> Searching for login window..."
 WINDOW_ID=$(timeout 30 xdotool search --sync --onlyvisible --name "SimplySign" 2>/dev/null | head -1 || true)
@@ -121,6 +152,8 @@ fi
 xdotool windowactivate --sync "$WINDOW_ID" 2>/dev/null || true
 sleep 1
 
+dump_windows
+
 # Generate TOTP right before typing to avoid expiration
 TOTP=$(oathtool --totp=sha256 -b --digits=6 "$CERTUM_TOTP_SECRET")
 
@@ -172,6 +205,7 @@ if [[ "$TOKEN_READY" != "true" ]]; then
     exit 1
 fi
 echo "==> PKCS#11 token available"
+dump_windows
 
 # --- Start p11-kit server ---
 
@@ -211,6 +245,7 @@ echo "==> Key alias: $KEY_ALIAS"
 
 for f in "$@"; do
     echo "==> Signing $f..."
+    dump_windows
 
     java -jar "$JSIGN_JAR" \
         --storetype PKCS11 \