Avoid blocked Rust toolchain action

.github/workflows/ci-unix.yml

@@ -11,9 +11,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install Rust stable (rustfmt, clippy)
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          components: rustfmt, clippy
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
+          rustup component add rustfmt clippy --toolchain stable
 
       - name: rustfmt
         run: cargo fmt --all --check

.github/workflows/dotnet-tool.yml

@@ -56,9 +56,10 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: ${{ matrix.target }}
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal --target "${{ matrix.target }}"
+          rustup default stable
 
       - name: Cache cargo artifacts
         uses: Swatinem/rust-cache@v2.9.1

.github/workflows/parity-extensions.yml

@@ -20,7 +20,11 @@ jobs:
     runs-on: windows-2022
     steps:
       - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install Rust toolchain
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
       - run: cargo build -p psign --bin psign-tool
       - name: Bootstrap Devolutions test PKI + pack minimal MSIX
         shell: pwsh
@@ -45,7 +49,11 @@ jobs:
     runs-on: windows-2022
     steps:
       - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install Rust toolchain
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
       - run: cargo build -p psign --bin psign-tool
       - name: Catalog verify (Rust)
         shell: pwsh

.github/workflows/rust-sip-parity.yml

@@ -16,7 +16,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install Rust stable
-        uses: dtolnay/rust-toolchain@stable
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
 
       - name: CMS authenticated-attribute RS256 prehash vs embedded signature (library)
         run: cargo test -p psign-sip-digest --lib rsa_pkcs1v15_signed_attrs_verify --locked
@@ -85,7 +88,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install Rust stable
-        uses: dtolnay/rust-toolchain@stable
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
 
       - name: SIP digest crate (full portable lib tests)
         run: cargo test -p psign-sip-digest --lib --locked

.github/workflows/windows.yml

@@ -14,7 +14,10 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install Rust stable
-        uses: dtolnay/rust-toolchain@stable
+        shell: pwsh
+        run: |
+          rustup toolchain install stable --profile minimal
+          rustup default stable
 
       - name: Build
         run: cargo build --workspace --all-targets

crates/psign-digest-cli/src/main.rs

@@ -4,7 +4,7 @@
 // for formats implemented in `psign-sip-digest`. This does not replace full `psign` verify.
 
 use anyhow::{Context, Result, anyhow};
-#[cfg(any(feature = "azure-kv-sign-portable", feature = "artifact-signing-rest"))]
+#[cfg(feature = "azure-kv-sign-portable")]
 use base64::Engine as _;
 use clap::{Args, Parser, Subcommand, ValueEnum};
 use psign_authenticode_trust::{
@@ -724,7 +724,7 @@ enum Command {
         #[arg(long = "azure-authority")]
         azure_authority: Option<String>,
         #[command(flatten)]
-        artifact_signing: ArtifactSigningPortableOptions,
+        artifact_signing: Box<ArtifactSigningPortableOptions>,
         /// Output signed PE path.
         #[arg(long, value_name = "PATH")]
         output: PathBuf,
@@ -1778,7 +1778,7 @@ fn parse_artifact_signing_certificates(bytes: &[u8]) -> Result<(x509_cert::Certi
             };
             let end = end + "-----END CERTIFICATE-----".len();
             certs.push(
-                rdp::parse_certificate(rest[..end].as_bytes())
+                rdp::parse_certificate(&rest.as_bytes()[..end])
                     .context("parse Artifact Signing PEM certificate")?,
             );
             rest = &rest[end..];
@@ -2344,7 +2344,7 @@ where
                     "portable sign-pe accepts only one signing source: --cert/--key, --azure-key-vault-*, or --artifact-signing-*"
                 ));
             }
-            let mut pkcs7 = if has_artifact {
+            let pkcs7 = if has_artifact {
                 #[cfg(feature = "artifact-signing-rest")]
                 {
                     create_pe_authenticode_pkcs7_der_artifact_signing(
@@ -2437,17 +2437,18 @@ where
                     )
                 })?
             };
-            match (timestamp_url, timestamp_digest) {
+            let pkcs7 = match (timestamp_url, timestamp_digest) {
                 (Some(url), Some(timestamp_digest)) => {
                     #[cfg(feature = "timestamp-http")]
                     {
-                        pkcs7 = timestamp_pkcs7_der_rfc3161(&pkcs7, &url, timestamp_digest)
-                            .with_context(|| {
+                        timestamp_pkcs7_der_rfc3161(&pkcs7, &url, timestamp_digest).with_context(
+                            || {
                                 format!(
                                     "RFC3161 timestamp portable Authenticode signature for {}",
                                     path.display()
                                 )
-                            })?;
+                            },
+                        )?
                     }
                     #[cfg(not(feature = "timestamp-http"))]
                     {
@@ -2467,8 +2468,8 @@ where
                         "portable sign-pe requires --timestamp-url with --timestamp-digest"
                     ));
                 }
-                (None, None) => {}
-            }
+                (None, None) => pkcs7,
+            };
             let signed = pe_embed::pe_append_authenticode_pkcs7_certificate(pe, &pkcs7)
                 .with_context(|| format!("embed Authenticode signature in {}", path.display()))?;
             std::fs::write(&output, signed).with_context(|| format!("write {}", output.display()))?;

src/portable_sign.rs

@@ -477,12 +477,13 @@ fn run_portable_sign_pe_azure_key_vault(
     output: &Path,
     args: &SignArgs,
 ) -> Result<()> {
-    let mut argv = Vec::new();
-    argv.push(OsString::from("psign-tool"));
-    argv.push(OsString::from("sign-pe"));
-    argv.push(target.as_os_str().to_os_string());
-    argv.push(OsString::from("--digest"));
-    argv.push(OsString::from(portable_digest_name(args.digest)?));
+    let mut argv = vec![
+        OsString::from("psign-tool"),
+        OsString::from("sign-pe"),
+        target.as_os_str().to_os_string(),
+        OsString::from("--digest"),
+        OsString::from(portable_digest_name(args.digest)?),
+    ];
     for chain_cert in &args.additional_certs {
         argv.push(OsString::from("--chain-cert"));
         argv.push(chain_cert.as_os_str().to_os_string());
@@ -548,12 +549,13 @@ fn run_portable_sign_pe_artifact_signing(
     output: &Path,
     args: &SignArgs,
 ) -> Result<()> {
-    let mut argv = Vec::new();
-    argv.push(OsString::from("psign-tool"));
-    argv.push(OsString::from("sign-pe"));
-    argv.push(target.as_os_str().to_os_string());
-    argv.push(OsString::from("--digest"));
-    argv.push(OsString::from(portable_digest_name(args.digest)?));
+    let mut argv = vec![
+        OsString::from("psign-tool"),
+        OsString::from("sign-pe"),
+        target.as_os_str().to_os_string(),
+        OsString::from("--digest"),
+        OsString::from(portable_digest_name(args.digest)?),
+    ];
     for chain_cert in &args.additional_certs {
         argv.push(OsString::from("--chain-cert"));
         argv.push(chain_cert.as_os_str().to_os_string());