From 08e39aa9a5bca1f08f6105e0cb7ed181a8bc0c4f Mon Sep 17 00:00:00 2001 From: Sergey Chernyshev Date: Thu, 25 Apr 2024 04:28:52 +0200 Subject: [PATCH] win,tools: upgrade Windows signing to smctl As a part of the new signing requrements for Windows change approach to use the DigiCert cloud HSM service KeyLocker. PR-URL: https://github.com/nodejs/node/pull/50956 Fixes: https://github.com/nodejs/build/issues/3491 Reviewed-By: Richard Lau Reviewed-By: Michael Dawson --- graal-nodejs/tools/sign.bat | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/graal-nodejs/tools/sign.bat b/graal-nodejs/tools/sign.bat index fae06583b49..f4d18d9f7a8 100644 --- a/graal-nodejs/tools/sign.bat +++ b/graal-nodejs/tools/sign.bat @@ -1,15 +1,12 @@ @echo off -set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com) - -for %%s in %timeservers% do ( - signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1 - if not ERRORLEVEL 1 ( - echo Successfully signed %1 using timeserver %%s - exit /b 0 - ) - echo Signing %1 failed using %%s +@REM From December 2023, new certificates use DigiCert cloud HSM service for EV signing. +@REM They provide a client side app smctl.exe for managing certificates and signing process. +@REM Release CI machines are configured to have it in the PATH so this can be used safely. +smctl sign -k key_nodejs -i %1 +if not ERRORLEVEL 1 ( + echo Successfully signed %1 using smctl + exit /b 0 ) - -echo Could not sign %1 using any available timeserver -exit /b 1 +echo Could not sign %1 using smctl +exit /b 1 \ No newline at end of file