tools: upgrade Windows digital signature to SHA256
signtool still defaults to SHA1, which is vulnerable to certain collisions. This switches to SHA256, which is stronger and which also matches the hash function used by the signing certificate.
Technically, /fd certHash
would be a better choice, but I don't know if it is widely supported.