|
1 | 1 | @echo off |
2 | 2 | |
3 | | -@REM From December 2023, new certificates use DigiCert cloud HSM service for EV signing. |
4 | | -@REM They provide a client side app smctl.exe for managing certificates and signing process. |
| 3 | +@REM From June 2025, we started using Azure Trusted Signing for code signing. |
5 | 4 | @REM Release CI machines are configured to have it in the PATH so this can be used safely. |
6 | | -smctl sign -k key_nodejs -i %1 |
| 5 | + |
| 6 | +where signtool >nul 2>&1 |
| 7 | +if errorlevel 1 ( |
| 8 | +echo signtool not found in PATH. |
| 9 | +exit /b 1 |
| 10 | +) |
| 11 | + |
| 12 | +if "%AZURE_SIGN_DLIB_PATH%"=="" ( |
| 13 | +echo AZURE_SIGN_DLIB_PATH is not set. |
| 14 | +exit /b 1 |
| 15 | +) |
| 16 | + |
| 17 | +if "%AZURE_SIGN_METADATA_PATH%"=="" ( |
| 18 | +echo AZURE_SIGN_METADATA_PATH is not set. |
| 19 | +exit /b 1 |
| 20 | +) |
| 21 | + |
| 22 | + |
| 23 | +signtool sign /tr "http://timestamp.acs.microsoft.com" /td sha256 /fd sha256 /v /dlib %AZURE_SIGN_DLIB_PATH% /dmdf %AZURE_SIGN_METADATA_PATH% %1 |
7 | 24 | if not ERRORLEVEL 1 ( |
8 | | -echo Successfully signed %1 using smctl |
| 25 | +echo Successfully signed %1 using signtool |
9 | 26 | exit /b 0 |
10 | 27 | ) |
11 | | -echo Could not sign %1 using smctl |
| 28 | +echo Could not sign %1 using signtool |
12 | 29 | exit /b 1 |