fix: sign the windows setup .exe COMPASS-8945 COMPASS-8950

packages/hadron-build/lib/signtool.js

@@ -1,4 +1,6 @@
 'use strict';
+const fs = require('fs');
+const crypto = require('crypto');
 const path = require('path');
 const debug = require('debug')('hadron-build:target');
 const { sign: _garasign } = require('@mongodb-js/signing-utils');
@@ -51,6 +53,20 @@ function getSigningMethod(src) {
   }
 }
 
+function hashFile(filename) {
+  return new Promise((resolve, reject) => {
+    const hash = crypto.createHash('sha256');
+    const fh = fs.createReadStream(filename);
+
+    fh.on('data', d => hash.update(d));
+    fh.on('end', () => {
+        const digest = hash.digest('hex');
+        resolve(digest);
+    });
+    fh.on('error', reject);
+  });
+}
+
 /**
  * We are signing the file using `gpg` or `jsign` depending on the
  * file extension. If the extension is `.exe` or `.msi`, we use `jsign`
@@ -76,7 +92,9 @@ async function sign(src, garasign = _garasign) {
     signingMethod: getSigningMethod(src),
   };
 
-  return await garasign(src, clientOptions);
+  debug(`checksum of ${src} before signing: ${await hashFile(src)}`);
+  await garasign(src, clientOptions);
+  debug(`checksum of ${src} after signing: ${await hashFile(src)}`);
 }
 
 module.exports = { sign, signArchive, getSignedFilename };