From 6311de332223e855e7f1ce03b7c920f51f308e95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Sat, 25 Mar 2023 19:27:46 +0100
Subject: [PATCH] tools: upgrade Windows digital signature to SHA256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: https://github.com/nodejs/node/pull/47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 tools/sign.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/sign.bat b/tools/sign.bat
index 82daaef575f3e8..fae06583b4923f 100644
--- a/tools/sign.bat
+++ b/tools/sign.bat
@@ -3,7 +3,7 @@
 set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
 
 for %%s in %timeservers% do (
-    signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
+    signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
     if not ERRORLEVEL 1 (
         echo Successfully signed %1 using timeserver %%s
         exit /b 0