Skip to content

Commit

Permalink
win,tools: upgrade Windows signing to smctl
Browse files Browse the repository at this point in the history
As a part of the new signing requrements for Windows change approach to
use the DigiCert cloud HSM service KeyLocker.

PR-URL: #50956
Fixes: nodejs/build#3491
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
StefanStojanovic authored and marco-ippolito committed Feb 12, 2024
1 parent f31d47e commit b90804b
Showing 1 changed file with 9 additions and 12 deletions.
21 changes: 9 additions & 12 deletions tools/sign.bat
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
@echo off

set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)

for %%s in %timeservers% do (
signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
if not ERRORLEVEL 1 (
echo Successfully signed %1 using timeserver %%s
exit /b 0
)
echo Signing %1 failed using %%s
@REM From December 2023, new certificates use DigiCert cloud HSM service for EV signing.
@REM They provide a client side app smctl.exe for managing certificates and signing process.
@REM Release CI machines are configured to have it in the PATH so this can be used safely.
smctl sign -k key_nodejs -i %1
if not ERRORLEVEL 1 (
echo Successfully signed %1 using smctl
exit /b 0
)

echo Could not sign %1 using any available timeserver
exit /b 1
echo Could not sign %1 using smctl
exit /b 1

0 comments on commit b90804b

Please sign in to comment.