Skip to content

Commit

Permalink
tools: upgrade Windows digital signature to SHA256
Browse files Browse the repository at this point in the history
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
  • Loading branch information
tniessen authored and danielleadams committed Jul 6, 2023
1 parent d15f522 commit 9781185
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tools/sign.bat
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

for %%s in %timeservers% do (
signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
if not ERRORLEVEL 1 (
echo Successfully signed %1 using timeserver %%s
exit /b 0
Expand Down

0 comments on commit 9781185

Please sign in to comment.