diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f6b300a1..9ccf408f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -360,6 +360,7 @@ jobs:
           path: artifacts
           pattern: java-bindings-*
       - name: Import PGP key
+        id: import_gpg
         uses: crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.SFIO_PGP_PRIVATE_KEY }}
@@ -389,10 +390,12 @@ jobs:
             cp java-bindings-jar/rodbus-${{github.ref_name}}-sources.jar io/stepfunc/rodbus/${{github.ref_name}}/
             cp java-bindings-jar/rodbus-${{github.ref_name}}-javadoc.jar io/stepfunc/rodbus/${{github.ref_name}}/
 
-            # Sign all files
+            # Sign all files. v7 of ghaction-import-gpg does not configure a default
+            # signing key, so select it explicitly by fingerprint (the action's
+            # recommended user ID) to avoid "no default secret key" errors.
             cd io/stepfunc/rodbus/${{github.ref_name}}
             for file in *.jar *.pom; do
-              gpg --batch --yes --pinentry-mode loopback --passphrase "${{ secrets.SFIO_PGP_PRIVATE_KEY_PASSPHRASE }}" --armor --detach-sign "$file"
+              gpg --batch --yes --pinentry-mode loopback --local-user "${{ steps.import_gpg.outputs.fingerprint }}" --passphrase "${{ secrets.SFIO_PGP_PRIVATE_KEY_PASSPHRASE }}" --armor --detach-sign "$file"
             done
 
             # Generate checksums
@@ -469,10 +472,14 @@ jobs:
       - name: Publish to crates.io
         shell: bash
         run: |
-          # Check if version already exists on crates.io
+          # Authoritative existence check via the sparse index (the same source
+          # cargo reads) so re-running the release is idempotent. Each line is one
+          # published version as compact JSON. This avoids the crates.io web API,
+          # which 403s on default curl User-Agents. If the version is absent we
+          # publish, and any cargo failure is a genuine failure.
           VERSION=${{github.ref_name}}
-          if curl -f -s "https://crates.io/api/v1/crates/rodbus/$VERSION" > /dev/null 2>&1; then
-            echo "✅ rodbus $VERSION already published to crates.io - skipping"
+          if curl -sf "https://index.crates.io/ro/db/rodbus" | grep -qF "\"vers\":\"$VERSION\""; then
+            echo "✅ rodbus $VERSION already on crates.io - skipping"
           else
             echo "Publishing rodbus $VERSION to crates.io..."
             cargo publish -p rodbus --token ${{ secrets.CRATES_PUBLISH_TOKEN }}