tools: upgrade Windows digital signature to SHA256

signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: #47206 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
nodejs · Apr 7, 2023 · def7e3d · def7e3d
1 parent 0b78ac5
commit def7e3d
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tools/sign.bat b/tools/sign.bat
@@ -3,7 +3,7 @@
 set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
 
 for %%s in %timeservers% do (
-    signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
+    signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
     if not ERRORLEVEL 1 (
         echo Successfully signed %1 using timeserver %%s
         exit /b 0