win,tools: use Azure Trusted Signing

PR-URL: https://github.com/nodejs/node/pull/58502 Refs: https://github.com/nodejs/build/issues/4036 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2025-06-05 16:41:58 +02:00 · 2025-06-05 16:41:58 +02:00 · 539df8e98d
commit 539df8e98d
parent e8a0f5b063
1 changed files with 22 additions and 5 deletions
--- a/tools/sign.bat
+++ b/tools/sign.bat
@ -1,12 +1,29 @@
@echo off

-@REM From December 2023, new certificates use DigiCert cloud HSM service for EV signing.
-@REM They provide a client side app smctl.exe for managing certificates and signing process.
+@REM From June 2025, we started using Azure Trusted Signing for code signing.
@REM Release CI machines are configured to have it in the PATH so this can be used safely.
-smctl sign -k key_nodejs -i %1
+
+where signtool >nul 2>&1
+if errorlevel 1 (
+    echo signtool not found in PATH.
+    exit /b 1
+)
+
+if "%AZURE_SIGN_DLIB_PATH%"=="" (
+    echo AZURE_SIGN_DLIB_PATH is not set.
+    exit /b 1
+)
+
+if "%AZURE_SIGN_METADATA_PATH%"=="" (
+    echo AZURE_SIGN_METADATA_PATH is not set.
+    exit /b 1
+)
+
+
+signtool sign /tr "http://timestamp.acs.microsoft.com" /td sha256 /fd sha256 /v /dlib %AZURE_SIGN_DLIB_PATH% /dmdf %AZURE_SIGN_METADATA_PATH% %1
 if not ERRORLEVEL 1 (
-    echo Successfully signed %1 using smctl
+    echo Successfully signed %1 using signtool
    exit /b 0
 )
-echo Could not sign %1 using smctl
+echo Could not sign %1 using signtool
 exit /b 1