Skip to content

Commit

Permalink
tools: upgrade Windows digital signature to SHA256
Browse files Browse the repository at this point in the history
signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.

PR-URL: #47206
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
tniessen authored and RafaelGSS committed Apr 7, 2023
1 parent 0b78ac5 commit def7e3d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tools/sign.bat
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

for %%s in %timeservers% do (
signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
if not ERRORLEVEL 1 (
echo Successfully signed %1 using timeserver %%s
exit /b 0
Expand Down

0 comments on commit def7e3d

Please sign in to comment.