From 8570c1eb534bbcc8ae34f8948ce27f1cb832ac8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Tue, 21 Mar 2023 23:09:02 +0100
Subject: [PATCH] tools: upgrade Windows digital signature to SHA256

signtool still defaults to SHA1, which is vulnerable to certain
collisions. This switches to SHA256, which is stronger and which also
matches the hash function used by the signing certificate.

Technically, `/fd certHash` would be a better choice, but I don't know
if it is widely supported.
---
 tools/sign.bat | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/sign.bat b/tools/sign.bat
index 82daaef575f3e8..fae06583b4923f 100644
--- a/tools/sign.bat
+++ b/tools/sign.bat
@@ -3,7 +3,7 @@
 set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
 
 for %%s in %timeservers% do (
-    signtool sign /a /d "Node.js" /du "https://nodejs.org" /t %%s %1
+    signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
     if not ERRORLEVEL 1 (
         echo Successfully signed %1 using timeserver %%s
         exit /b 0