build: windows signing should include timestamps

Previously the build artifacts did not include a signed timestamp, so
when the certificate expired the validation of the artifact would fail.
Now we sign against a timestamp server such that the artifact will
always be valid regardless of the disposition of the certificate.

Closes #7360 and #7059.

diff --git a/vcbuild.bat b/vcbuild.bat
index 849374b..0c9b0b2 100644 (file)
--- a/vcbuild.bat
+++ b/vcbuild.bat
@@ -136,7 +136,8 @@ if errorlevel 1 goto exit
 @rem Skip signing if the `nosign` option was specified.
 if defined nosign goto licensertf
 
-signtool sign /a Release\node.exe
+signtool sign /a /d "Node.js" /t http://timestamp.globalsign.com/scripts/timestamp.dll Release\node.exe
+if errorlevel 1 echo Failed to sign exe&goto exit
 
 :licensertf
 @rem Skip license.rtf generation if not requested.
@@ -159,7 +160,8 @@ msbuild "%~dp0tools\msvs\msi\nodemsi.sln" /m /t:Clean,Build /p:Configuration=%co
 if errorlevel 1 goto exit
 
 if defined nosign goto run
-signtool sign /a Release\node-v%NODE_VERSION%-%msiplatform%.msi
+signtool sign /a /d "Node.js" /t http://timestamp.globalsign.com/scripts/timestamp.dll Release\node-v%NODE_VERSION%-%msiplatform%.msi
+if errorlevel 1 echo Failed to sign msi&goto exit
 
 :run
 @rem Run tests if requested.