Add certificates diagnostics for troubleshooting

Author: rekhoff

.github/workflows/package.yml

@@ -101,6 +101,22 @@ jobs:
         run: |
           cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
 
+      - name: List synced certificates (diagnostic)
+        if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
+        shell: pwsh
+        env:
+          SM_HOST: ${{ vars.SM_HOST }}
+          SM_API_KEY: ${{ secrets.SM_API_KEY }}
+          SM_CLIENT_CERT_FILE: D:\Certificate_pkcs12.p12
+          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+        run: |
+          Write-Host "=== Certificates in CurrentUser\My ==="
+          Get-ChildItem Cert:\CurrentUser\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize
+          Write-Host "=== Certificates in LocalMachine\My ==="
+          Get-ChildItem Cert:\LocalMachine\My | Format-Table Subject, Thumbprint, NotAfter -AutoSize
+          Write-Host "=== smctl keypair list ==="
+          smctl keypair ls
+
       - name: Sign binaries for Windows
         if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
         shell: pwsh
@@ -111,22 +127,27 @@ jobs:
           SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
           DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
         run: |
-          $ErrorActionPreference = 'Continue'
+          $ErrorActionPreference = 'Stop'
           $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
-          $failed = $false
+
+          # Find the code signing certificate synced from DigiCert
+          $cert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
+          if (-not $cert) {
+            $cert = Get-ChildItem Cert:\LocalMachine\My -CodeSigningCert | Select-Object -First 1
+          }
+          if (-not $cert) {
+            throw "No code signing certificate found in certificate store"
+          }
+          $thumbprint = $cert.Thumbprint
+          Write-Host "Using certificate: $($cert.Subject) [$thumbprint]"
+
           foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
             $path = Join-Path $targetDir $exe
             Write-Host "Signing $exe..."
-            & smctl sign --verbose --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path 2>&1 | Tee-Object -Variable output
-            $output = $output -join "`n"
-            if ($output -match 'FAILED') {
-              Write-Host "::error::$exe signing FAILED"
-              $failed = $true
-            } else {
-              Write-Host "$exe signed successfully"
-            }
+            & signtool.exe sign /sha1 $thumbprint /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $path
+            if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
+            Write-Host "$exe signed successfully"
           }
-          if ($failed) { exit 1 }
 
       - name: Verify signatures
         if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}