diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml
index 22adccb..b17f3fe 100644
--- a/.gitea/workflows/cicd.yaml
+++ b/.gitea/workflows/cicd.yaml
@@ -96,19 +96,30 @@ jobs:
         shell: bash
         run: |
           set -euo pipefail
-          
+
           apt-get update
-          apt-get install -y --no-install-recommends openssh-client ca-certificates
-          
+          apt-get install -y --no-install-recommends openssh-client
+
           mkdir -p ~/.ssh
           chmod 700 ~/.ssh
-          
-          printf '%s' "${{ secrets.SSH_PRIVATE_KEY_B64 }}" | base64 -d > ~/.ssh/id_ed25519
+
+          # 1) Prende il secret base64 e rimuove spazi/newline/CR
+          printf '%s' "${{ secrets.SSH_PRIVATE_KEY_B64 }}" | tr -d '\r\n\t ' > /tmp/key.b64
+
+          # 2) (debug sicuro) stampa solo la lunghezza della base64
+          echo "b64_len=$(wc -c < /tmp/key.b64)"
+
+          # 3) Decodifica in chiave privata
+          base64 -d /tmp/key.b64 > ~/.ssh/id_ed25519
+
+          # 4) Rimuove eventuali CRLF dentro la chiave (se proviene da Windows)
+          tr -d '\r' < ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.clean
+          mv ~/.ssh/id_ed25519.clean ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          
-          # Debug sicuro: stampa solo la prima riga (non rivela la chiave)
-          head -n 1 ~/.ssh/id_ed25519
-          
+
+          # 5) Validazione: se fallisce qui, la chiave NON è valida/corrotta
+          ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
+
           ssh-keyscan -H "${{ secrets.SERVER_HOST }}" >> ~/.ssh/known_hosts 2>/dev/null
-          
+
           ssh -i ~/.ssh/id_ed25519 -o BatchMode=yes "${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}" "${{ env.ENV }}"