From ef0f66dd0309d4400d537e6cb64edbc3ca404839 Mon Sep 17 00:00:00 2001
From: Alex Chapin <a.n.chapin@gmai.com>
Date: Tue, 13 Jan 2026 14:23:44 -0500
Subject: [PATCH] fix: Use unique zip filename for Windows signing and verify
 result

Prevent caching issues by appending github.sha to the zip filename sent to the signing service.
Also add verification to ensure the signed artifact matches the expected filename, renaming it if necessary.
---
 .github/workflows/full-build.yml | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/full-build.yml b/.github/workflows/full-build.yml
index a0e1733c55..7ba3e31f97 100644
--- a/.github/workflows/full-build.yml
+++ b/.github/workflows/full-build.yml
@@ -1614,12 +1614,17 @@ jobs:
             Write-Host "Signing Final Installer"
             Write-Host "------------------------------------------------------------"
             
-            $installerZip = "installer_to_sign.zip"
-            $signedInstallerZip = "installer_to_sign.signed.zip"
+            $installerZip = "installer_to_sign_${{ github.sha }}.zip"
+            $signedInstallerZip = "installer_to_sign_${{ github.sha }}.signed.zip"
             
             $installers = Get-ChildItem -Filter "OpenStudio-*.exe"
             if ($installers.Count -gt 0) {
                Write-Host "Found installer(s): $($installers.Name)"
+               
+               # Calculate hash of original installer before compression
+               $originalHash = (Get-FileHash -Path $installers[0].FullName -Algorithm SHA256).Hash
+               Write-Host "Original installer hash (SHA256): $originalHash"
+               
                Compress-Archive -Path $installers.FullName -DestinationPath $installerZip -Force
                
                Write-Host "Sending installer for signing..."
@@ -1630,6 +1635,26 @@ jobs:
                   if (-not (Test-Path signed)) { New-Item -ItemType Directory -Path signed | Out-Null }
                   Expand-Archive -Path $signedInstallerZip -DestinationPath signed -Force
                   
+                  # Verify the extracted file exists and matches expected name
+                  $extractedFiles = Get-ChildItem -Path signed -Filter "*.exe"
+                  if ($extractedFiles.Count -eq 0) {
+                     Write-Host "::error::No EXE file found in signed archive!"
+                     exit 1
+                  }
+                  
+                  $extractedFile = $extractedFiles[0]
+                  $expectedName = $installers[0].Name
+                  if ($extractedFile.Name -ne $expectedName) {
+                     Write-Host "::warning::Signed file name mismatch!"
+                     Write-Host "  Expected: $expectedName"
+                     Write-Host "  Got: $($extractedFile.Name)"
+                     
+                     # Rename to match the original filename to prevent distributing misnamed file
+                     $newPath = Join-Path -Path signed -ChildPath $expectedName
+                     Rename-Item -Path $extractedFile.FullName -NewName $newPath -Force
+                     Write-Host "  Renamed to match original: $expectedName"
+                  }
+                  
                   # Cleanup
                   Remove-Item $installerZip -Force
                   Remove-Item $signedInstallerZip -Force