From 989814093e3f97a9ee1690ed8ee496c930e79444 Mon Sep 17 00:00:00 2001
From: Stefan Stojanovic <StefanStojanovic@users.noreply.github.com>
Date: Fri, 8 Dec 2023 22:58:17 +0100
Subject: [PATCH] win,tools: upgrade Windows signing to smctl

As a part of the new signing requrements for Windows change approach to
use the DigiCert cloud HSM service KeyLocker.

PR-URL: https://github.com/nodejs/node/pull/50956
Fixes: https://github.com/nodejs/build/issues/3491
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
---
 tools/sign.bat | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/tools/sign.bat b/tools/sign.bat
index fae06583b4923f..f4d18d9f7a8a0d 100644
--- a/tools/sign.bat
+++ b/tools/sign.bat
@@ -1,15 +1,12 @@
 @echo off
 
-set timeservers=(http://timestamp.globalsign.com/scripts/timestamp.dll http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
-
-for %%s in %timeservers% do (
-    signtool sign /a /d "Node.js" /du "https://nodejs.org" /fd SHA256 /t %%s %1
-    if not ERRORLEVEL 1 (
-        echo Successfully signed %1 using timeserver %%s
-        exit /b 0
-    )
-    echo Signing %1 failed using %%s
+@REM From December 2023, new certificates use DigiCert cloud HSM service for EV signing.
+@REM They provide a client side app smctl.exe for managing certificates and signing process.
+@REM Release CI machines are configured to have it in the PATH so this can be used safely.
+smctl sign -k key_nodejs -i %1
+if not ERRORLEVEL 1 (
+    echo Successfully signed %1 using smctl
+    exit /b 0
 )
-
-echo Could not sign %1 using any available timeserver
-exit /b 1
+echo Could not sign %1 using smctl
+exit /b 1
\ No newline at end of file