From def7e3d908b0fe8f388b7b4bdd72e25f66287cdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Sat, 25 Mar 2023 19:27:46 +0100 Subject: [PATCH] tools: upgrade Windows digital signature to SHA256 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate. Technically, `/fd certHash` would be a better choice, but I don't know if it is widely supported. PR-URL: https://github.com/nodejs/node/pull/47206 Reviewed-By: Michaƫl Zasso Reviewed-By: Luigi Pinca --- tools/sign.bat | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sign.bat b/tools/sign.bat index 82daaef575f3e8..fae06583b4923f 100644 --- a/tools/sign.bat +++ b/tools/sign.bat @@ -3,7 +3,7 @@ set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com) for %%s in %timeservers% do ( - signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1 + signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1 if not ERRORLEVEL 1 ( echo Successfully signed %1 using timeserver %%s exit /b 0