fix: tolerate CI self-signed signtool verification

Author: SpeechlessPanda

.github/workflows/release-windows.yml

@@ -203,7 +203,24 @@ jobs:
           $signTool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe |
             Sort-Object FullName -Descending | Select-Object -First 1
           if (-not $signTool) { throw "signtool.exe not found" }
-          & $signTool.FullName verify /pa /v $exe.FullName
+
+          $verifyOutput = & $signTool.FullName verify /pa /v $exe.FullName 2>&1
+          $verifyText = ($verifyOutput | Out-String)
+          $verifyExitCode = $LASTEXITCODE
+          Write-Host $verifyText
+
+          if ($verifyExitCode -eq 0) {
+            Write-Host "signtool verify: OK"
+            exit 0
+          }
+
+          if ($verifyText -match 'terminated in a root\s+certificate which is not trusted by the trust provider') {
+            Write-Warning "signtool verify reported an untrusted root certificate. This is expected for self-signed CI certificates; continuing."
+            Write-Host "::warning::SignTool reported an untrusted root certificate. Treating as expected for CI self-signed certs."
+            exit 0
+          }
+
+          throw "signtool verify failed with exit code $verifyExitCode"
 
       - name: Upload release artifacts for audit
         uses: actions/upload-artifact@v4

docs/guides/release-signing-auto-update.md

@@ -116,7 +116,7 @@ pnpm run release
      - 校验 tag 与 `package.json` 版本一致
      - 还原签名证书并校验 `verify:windows-signing-env`
      - 执行 `pnpm run release`（内含 `verify:release`）
-     - 对产物执行 `signtool verify`
+   - 对产物执行 `signtool verify`（自签名 CI 证书触发“不受信任根证书”时降级为 warning，不阻断发布）
      - 上传产物并生成 provenance attestation
 
 发布前脚本链路（当前）：