electron-userland · mmaietta · Sep 13, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/docs/api/electron-builder.md b/docs/api/electron-builder.md
@@ -2244,20 +2244,22 @@ return path.join(target.outDir, <code>__${target.name}-${getArtifactArchName(arc
 <p>**&lt;code id=&quot;WinPackager-[cscInfo=new MemoLazy&lt;WindowsConfiguration, FileCodeSigningInfo | CertificateFromStoreInfo | null&gt;(
 () =&gt; this.platformSpecificBuildOptions,
 platformSpecificBuildOptions =&gt; {
-if (platformSpecificBuildOptions.certificateSubjectName != null || platformSpecificBuildOptions.certificateSha1 != null) {
+const subjectName = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateSubjectName, platformSpecificBuildOptions.certificateSubjectName)
+const shaType = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateSha1, platformSpecificBuildOptions.certificateSha1)
+if (subjectName != null || shaType != null) {
 return this.vm.value
 .then(vm =&gt; getCertificateFromStoreInfo(platformSpecificBuildOptions, vm))
 .catch((e: any) =&gt; {
 // <a href="https://github.com/electron-userland/electron-builder/pull/2397">https://github.com/electron-userland/electron-builder/pull/2397</a>
-if (platformSpecificBuildOptions.sign == null) {
+if (chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.sign, platformSpecificBuildOptions.sign) == null) {
 throw e
 } else {
 log.debug({ error: e }, “getCertificateFromStoreInfo error”)
 return null
 }
 })
 }</p>
-<pre><code class="hljs">const certificateFile = platformSpecificBuildOptions.certificateFile
+<pre><code class="hljs">const certificateFile = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateFile, platformSpecificBuildOptions.certificateFile)
 if (certificateFile != null) {
   const certificatePassword = this.getCscPassword()
   return Promise.resolve({
@@ -2293,20 +2295,22 @@ return (
 )]&quot;&gt;[cscInfo=new MemoLazy&lt;WindowsConfiguration, FileCodeSigningInfo | CertificateFromStoreInfo | null&gt;(
 () =&gt; this.platformSpecificBuildOptions,
 platformSpecificBuildOptions =&gt; {
-if (platformSpecificBuildOptions.certificateSubjectName != null || platformSpecificBuildOptions.certificateSha1 != null) {
+const subjectName = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateSubjectName, platformSpecificBuildOptions.certificateSubjectName)
+const shaType = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateSha1, platformSpecificBuildOptions.certificateSha1)
+if (subjectName != null || shaType != null) {
 return this.vm.value
 .then(vm =&gt; getCertificateFromStoreInfo(platformSpecificBuildOptions, vm))
 .catch((e: any) =&gt; {
 // <a href="https://github.com/electron-userland/electron-builder/pull/2397">https://github.com/electron-userland/electron-builder/pull/2397</a>
-if (platformSpecificBuildOptions.sign == null) {
+if (chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.sign, platformSpecificBuildOptions.sign) == null) {
 throw e
 } else {
 log.debug({ error: e }, “getCertificateFromStoreInfo error”)
 return null
 }
 })
 }</p>
-<pre><code class="hljs">const certificateFile = platformSpecificBuildOptions.certificateFile
+<pre><code class="hljs">const certificateFile = chooseNotNull(platformSpecificBuildOptions.signtoolOptions?.certificateFile, platformSpecificBuildOptions.certificateFile)
 if (certificateFile != null) {
   const certificatePassword = this.getCscPassword()
   return Promise.resolve({

diff --git a/docs/configuration/win.md b/docs/configuration/win.md
@@ -15,15 +15,17 @@ The top-level [win](configuration.md#Configuration-win) key contains set of opti
 </ul>
 <hr>
 <ul>
-<li><code id="WindowsConfiguration-signingHashAlgorithms">signingHashAlgorithms</code> = <code>['sha1', 'sha256']</code> Array&lt;“sha256” | “sha1”&gt; | “undefined” - Array of signing algorithms used. For AppX <code>sha256</code> is always used.</li>
-<li><code id="WindowsConfiguration-sign">sign</code> String | (configuration: CustomWindowsSignTaskConfiguration) =&gt; Promise - The custom function (or path to file or module id) to sign Windows executable.</li>
-<li><code id="WindowsConfiguration-certificateFile">certificateFile</code> String | “undefined” - The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable <code>CSC_LINK</code> (<code>WIN_CSC_LINK</code>) for some reason. Please see <a href="/code-signing">Code Signing</a>.</li>
-<li><code id="WindowsConfiguration-certificatePassword">certificatePassword</code> String | “undefined” - The password to the certificate provided in <code>certificateFile</code>. Please use it only if you cannot use env variable <code>CSC_KEY_PASSWORD</code> (<code>WIN_CSC_KEY_PASSWORD</code>) for some reason. Please see <a href="/code-signing">Code Signing</a>.</li>
-<li><code id="WindowsConfiguration-certificateSubjectName">certificateSubjectName</code> String | “undefined” - The name of the subject of the signing certificate, which is often labeled with the field name <code>issued to</code>. Required only for EV Code Signing and works only on Windows (or on macOS if <a href="https://www.parallels.com/products/desktop/">Parallels Desktop</a> Windows 10 virtual machines exits).</li>
-<li><code id="WindowsConfiguration-certificateSha1">certificateSha1</code> String | “undefined” - The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if <a href="https://www.parallels.com/products/desktop/">Parallels Desktop</a> Windows 10 virtual machines exits).</li>
-<li><code id="WindowsConfiguration-additionalCertificateFile">additionalCertificateFile</code> String | “undefined” - The path to an additional certificate file you want to add to the signature block.</li>
-<li><code id="WindowsConfiguration-rfc3161TimeStampServer">rfc3161TimeStampServer</code> = <code>http://timestamp.digicert.com</code> String | “undefined” - The URL of the RFC 3161 time stamp server.</li>
-<li><code id="WindowsConfiguration-timeStampServer">timeStampServer</code> = <code>http://timestamp.digicert.com</code> String | “undefined” - The URL of the time stamp server.</li>
+<li tag.description=""><code id="WindowsConfiguration-signingHashAlgorithms">signingHashAlgorithms</code> Array&lt;“sha256” | “sha1”&gt; | “undefined” - Array of signing algorithms used. For AppX <code>sha256</code> is always used. Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-sign">sign</code> String | (configuration: CustomWindowsSignTaskConfiguration) =&gt; Promise - The custom function (or path to file or module id) to sign Windows executables Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-certificateFile">certificateFile</code> String | “undefined” - The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable <code>CSC_LINK</code> (<code>WIN_CSC_LINK</code>) for some reason. Please see <a href="/code-signing">Code Signing</a>. Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-certificatePassword">certificatePassword</code> String | “undefined” - The password to the certificate provided in <code>certificateFile</code>. Please use it only if you cannot use env variable <code>CSC_KEY_PASSWORD</code> (<code>WIN_CSC_KEY_PASSWORD</code>) for some reason. Please see <a href="/code-signing">Code Signing</a>. Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-certificateSubjectName">certificateSubjectName</code> String | “undefined” - The name of the subject of the signing certificate, which is often labeled with the field name <code>issued to</code>. Required only for EV Code Signing and works only on Windows (or on macOS if <a href="https://www.parallels.com/products/desktop/">Parallels Desktop</a> Windows 10 virtual machines exits). Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-certificateSha1">certificateSha1</code> String | “undefined” - The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if <a href="https://www.parallels.com/products/desktop/">Parallels Desktop</a> Windows 10 virtual machines exits). Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-additionalCertificateFile">additionalCertificateFile</code> String | “undefined” - The path to an additional certificate file you want to add to the signature block. Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-rfc3161TimeStampServer">rfc3161TimeStampServer</code> = <code>http://timestamp.digicert.com</code> String | “undefined” - The URL of the RFC 3161 time stamp server. Deprecated:</li>
+<li tag.description=""><code id="WindowsConfiguration-timeStampServer">timeStampServer</code> = <code>http://timestamp.digicert.com</code> String | “undefined” - The URL of the time stamp server. Deprecated:</li>
+<li><code id="WindowsConfiguration-signtoolOptions">signtoolOptions</code> module:app-builder-lib/out/options/winOptions.WindowsSigntoolConfiguration | “undefined” - Options for usage with signtool.exe</li>
+<li><code id="WindowsConfiguration-azureOptions">azureOptions</code> module:app-builder-lib/out/options/winOptions.WindowsAzureSigningConfiguration | “undefined” - Options for usage of Azure Trusted Signing Requires powershell</li>
 </ul>
 <hr>
 <ul>

diff --git a/packages/app-builder-lib/scheme.json b/packages/app-builder-lib/scheme.json
@@ -5959,6 +5959,26 @@
       ],
       "type": "object"
     },
+    "WindowsAzureSigningConfiguration": {
+      "additionalProperties": {
+        "type": "string"
+      },
+      "properties": {
+        "CertificateProfileName": {
+          "description": "The Certificate Profile name.",
+          "type": "string"
+        },
+        "Endpoint": {
+          "description": "The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the\nregion your Trusted Signing Account and Certificate Profile you are specifying were created\nin during the setup of these resources.\n\nRequires the following environment variables to be set:\nAZURE_TENANT_ID\nAZURE_CLIENT_ID\nAZURE_CLIENT_SECRET\nAZURE_CLIENT_CERTIFICATE_PATH\nAZURE_CLIENT_SEND_CERTIFICATE_CHAIN\nAZURE_USERNAME\nAZURE_PASSWORD",
+          "type": "string"
+        }
+      },
+      "required": [
+        "CertificateProfileName",
+        "Endpoint"
+      ],
+      "type": "object"
+    },
     "WindowsConfiguration": {
       "additionalProperties": false,
       "properties": {
@@ -6016,6 +6036,17 @@
           ],
           "description": "A [glob patterns](/file-patterns) relative to the [app directory](#MetadataDirectories-app), which specifies which files to unpack when creating the [asar](http://electron.atom.io/docs/tutorial/application-packaging/) archive."
         },
+        "azureOptions": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/WindowsAzureSigningConfiguration"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Options for usage of Azure Trusted Signing\nRequires powershell"
+        },
         "certificateFile": {
           "description": "The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable `CSC_LINK` (`WIN_CSC_LINK`) for some reason.\nPlease see [Code Signing](/code-signing).",
           "type": [
@@ -6345,7 +6376,7 @@
               ]
             }
           ],
-          "description": "The custom function (or path to file or module id) to sign Windows executable."
+          "description": "The custom function (or path to file or module id) to sign Windows executables"
         },
         "signAndEditExecutable": {
           "default": true,
@@ -6388,9 +6419,19 @@
               "type": "null"
             }
           ],
-          "default": "['sha1', 'sha256']",
           "description": "Array of signing algorithms used. For AppX `sha256` is always used."
         },
+        "signtoolOptions": {
+          "anyOf": [
+            {
+              "$ref": "#/definitions/WindowsSigntoolConfiguration"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "description": "Options for usage with signtool.exe"
+        },
         "target": {
           "anyOf": [
             {
@@ -6434,6 +6475,96 @@
         }
       },
       "type": "object"
+    },
+    "WindowsSigntoolConfiguration": {
+      "additionalProperties": false,
+      "properties": {
+        "additionalCertificateFile": {
+          "description": "The path to an additional certificate file you want to add to the signature block.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "certificateFile": {
+          "description": "The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable `CSC_LINK` (`WIN_CSC_LINK`) for some reason.\nPlease see [Code Signing](/code-signing).",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "certificatePassword": {
+          "description": "The password to the certificate provided in `certificateFile`. Please use it only if you cannot use env variable `CSC_KEY_PASSWORD` (`WIN_CSC_KEY_PASSWORD`) for some reason.\nPlease see [Code Signing](/code-signing).",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "certificateSha1": {
+          "description": "The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if [Parallels Desktop](https://www.parallels.com/products/desktop/) Windows 10 virtual machines exits).",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "certificateSubjectName": {
+          "description": "The name of the subject of the signing certificate, which is often labeled with the field name `issued to`. Required only for EV Code Signing and works only on Windows (or on macOS if [Parallels Desktop](https://www.parallels.com/products/desktop/) Windows 10 virtual machines exits).",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "rfc3161TimeStampServer": {
+          "default": "http://timestamp.digicert.com",
+          "description": "The URL of the RFC 3161 time stamp server.",
+          "type": [
+            "null",
+            "string"
+          ]
+        },
+        "sign": {
+          "anyOf": [
+            {
+              "typeof": "function"
+            },
+            {
+              "type": [
+                "null",
+                "string"
+              ]
+            }
+          ],
+          "description": "The custom function (or path to file or module id) to sign Windows executables"
+        },
+        "signingHashAlgorithms": {
+          "anyOf": [
+            {
+              "items": {
+                "enum": [
+                  "sha1",
+                  "sha256"
+                ],
+                "type": "string"
+              },
+              "type": "array"
+            },
+            {
+              "type": "null"
+            }
+          ],
+          "default": "['sha1', 'sha256']",
+          "description": "Array of signing algorithms used. For AppX `sha256` is always used."
+        },
+        "timeStampServer": {
+          "default": "http://timestamp.digicert.com",
+          "description": "The URL of the time stamp server.",
+          "type": [
+            "null",
+            "string"
+          ]
+        }
+      },
+      "type": "object"
     }
   },
   "description": "Configuration Options",