diff --git a/.changeset/tame-pets-jam.md b/.changeset/tame-pets-jam.md new file mode 100644 index 00000000000..9af2f58e188 --- /dev/null +++ b/.changeset/tame-pets-jam.md @@ -0,0 +1,5 @@ +--- +"app-builder-lib": minor +--- + +feat: Implement Azure Trusted Signing diff --git a/docs/api/electron-builder.md b/docs/api/electron-builder.md index f3ee272823a..c8631996f82 100644 --- a/docs/api/electron-builder.md +++ b/docs/api/electron-builder.md @@ -133,8 +133,11 @@ Developer API only. See [Configuration](../configuration/configuration.md) for u
.createTargets(targets, mapper)
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.getCscLink(extraEnvName)
⇒ undefined
| null
| String
.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.doGetCscPassword()
⇒ undefined
| null
| String
.getElectronDestinationDir(appOutDir)
⇒ String
.getElectronSrcDir(dist)
⇒ String
.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
.pack(outDir, arch, targets, taskManager)
⇒ Promise<void>
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.getCscLink(extraEnvName)
⇒ undefined
| null
| String
.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.doGetCscPassword()
⇒ undefined
| null
| String
.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
.expandArtifactNamePattern(targetSpecificOptions, ext, arch, defaultPattern, skipDefaultArch, defaultArch)
⇒ String
.expandMacro(pattern, arch, extra, isProductNameSanitized)
⇒ String
.dispatchArtifactCreated(event)
.disposeOnBuildFinish(disposer)
.installAppDependencies(platform, arch)
⇒ Promise<any>
.getNodeDependencyInfo(platform)
⇒ Lazy<Array<module:app-builder-lib/out/util/packageDependencies.NodeModuleDirInfo | module:app-builder-lib/out/util/packageDependencies.NodeModuleInfo>>
.getNodeDependencyInfo(platform, flatten)
⇒ Lazy<Array<module:app-builder-lib/out/util/packageDependencies.NodeModuleInfo | module:app-builder-lib/out/util/packageDependencies.NodeModuleDirInfo>>
.validateConfig()
⇒ Promise<void>
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.createTargets(targets, mapper)
.getCscLink(extraEnvName)
⇒ undefined
| null
| String
.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.doGetCscPassword()
⇒ undefined
| null
| String
.getElectronDestinationDir(appOutDir)
⇒ String
.getElectronSrcDir(dist)
⇒ String
.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
PlatformPackager
.createTargets(targets, mapper)
.doGetCscPassword()
⇒ undefined
| null
| String
.getIconPath()
⇒ Promise< | String>
.sign(file, logMessagePrefix)
⇒ Promise<Boolean>
.signAndEditResources(file, arch, outDir, internalName, requestedExecutionLevel)
⇒ Promise<void>
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.getCscLink(extraEnvName)
⇒ undefined
| null
| String
.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.getElectronDestinationDir(appOutDir)
⇒ String
.createTargets(targets, mapper)
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.getCscLink(extraEnvName)
⇒ undefined
| null
| String
.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.doGetCscPassword()
⇒ undefined
| null
| String
.getElectronDestinationDir(appOutDir)
⇒ String
.getElectronSrcDir(dist)
⇒ String
.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
linuxPackager.getCscLink(extraEnvName)
⇒ undefined
| null
| String
Param | +Type | +
---|---|
extraEnvName | +String | “undefined” |
+
linuxPackager.getCscPassword()
⇒ String
linuxPackager.getDefaultFrameworkIcon()
⇒ null
| String
linuxPackager.doGetCscPassword()
⇒ undefined
| null
| String
linuxPackager.getElectronDestinationDir(appOutDir)
⇒ String
macPackager.getCscLink(extraEnvName)
⇒ undefined
| null
| String
Param | +Type | +
---|---|
extraEnvName | +String | “undefined” |
+
macPackager.getCscPassword()
⇒ String
macPackager.getDefaultFrameworkIcon()
⇒ null
| String
macPackager.doGetCscPassword()
⇒ undefined
| null
| String
macPackager.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
packager.getNodeDependencyInfo(platform)
⇒ Lazy<Array<module:app-builder-lib/out/util/packageDependencies.NodeModuleDirInfo | module:app-builder-lib/out/util/packageDependencies.NodeModuleInfo>>
packager.getNodeDependencyInfo(platform, flatten)
⇒ Lazy<Array<module:app-builder-lib/out/util/packageDependencies.NodeModuleInfo | module:app-builder-lib/out/util/packageDependencies.NodeModuleDirInfo>>
platform | Platform | “undefined” |
flatten | +Boolean |
+
__${target.name}-${getArtifactArchName(arc
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
.createTargets(targets, mapper)
+.getCscLink(extraEnvName)
⇒ undefined
| null
| String
+.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
+.doGetCscPassword()
⇒ undefined
| null
| String
.getElectronDestinationDir(appOutDir)
⇒ String
.getElectronSrcDir(dist)
⇒ String
.expandArtifactBeautyNamePattern(targetSpecificOptions, ext, arch)
⇒ String
@@ -1860,6 +1925,24 @@ return path.join(target.outDir, __${target.name}-${getArtifactArchName(arc
+
+platformPackager.getCscLink(extraEnvName)
⇒ undefined
| null
| String
+
+
+
+Param
+Type
+
+
+
+
+extraEnvName
+String
| “undefined”
+
+
+
+
+platformPackager.getCscPassword()
⇒ String
platformPackager.getDefaultFrameworkIcon()
⇒ null
| String
@@ -1890,6 +1973,8 @@ return path.join(target.outDir, __${target.name}-${getArtifactArchName(arc
+
+platformPackager.doGetCscPassword()
⇒ undefined
| null
| String
platformPackager.getElectronDestinationDir(appOutDir)
⇒ String
@@ -2251,195 +2336,36 @@ return path.join(target.outDir, __${target.name}-${getArtifactArchName(arc
Extends: PlatformPackager
Properties
--
-
**<code id="WinPackager-[cscInfo=new MemoLazy<WindowsConfiguration, FileCodeSigningInfo | CertificateFromStoreInfo | null>(
-() => this.platformSpecificBuildOptions,
-platformSpecificBuildOptions => {
-if (platformSpecificBuildOptions.certificateSubjectName != null || platformSpecificBuildOptions.certificateSha1 != null) {
-return this.vm.value
-.then(vm => getCertificateFromStoreInfo(platformSpecificBuildOptions, vm))
-.catch((e: any) => {
-// https://github.com/electron-userland/electron-builder/pull/2397
-if (platformSpecificBuildOptions.sign == null) {
-throw e
-} else {
-log.debug({ error: e }, “getCertificateFromStoreInfo error”)
-return null
-}
-})
-}
-const certificateFile = platformSpecificBuildOptions.certificateFile
-if (certificateFile != null) {
- const certificatePassword = this.getCscPassword()
- return Promise.resolve({
- file: certificateFile,
- password: certificatePassword == null ? null : certificatePassword.trim(),
+_iconPath
= new Lazy(() => this.getOrConvertIcon("ico"))
Lazy< | String>
+vm
= new Lazy<VmManager>(() => (process.platform === "win32" ? Promise.resolve(new VmManager()) : getWindowsVm(this.debugLogger)))
Lazy<module:app-builder-lib/out/vm/vm.VmManager>
+signtoolManager
= new Lazy<WindowsSignToolManager>(() => Promise.resolve(new WindowsSignToolManager(this)))
Lazy<module:app-builder-lib/out/codeSign/windowsSignToolManager.WindowsSignToolManager>
+https://github.com/electron-userland/electron-builder/pull/2397
-if (platformSpecificBuildOptions.sign == null) {
-throw e
-} else {
-log.debug({ error: e }, “getCertificateFromStoreInfo error”)
-return null
-}
+)]">[azureSignManager=new Lazy(() =>
+Promise.resolve(new WindowsSignAzureManager(this)).then(async manager => {
+await manager.initializeProviderModules()
+return manager
})
-}
-const certificateFile = platformSpecificBuildOptions.certificateFile
-if (certificateFile != null) {
- const certificatePassword = this.getCscPassword()
- return Promise.resolve({
- file: certificateFile,
- password: certificatePassword == null ? null : certificatePassword.trim(),
- })
-}
-
-const cscLink = this.getCscLink("WIN_CSC_LINK")
-if (cscLink == null || cscLink === "") {
- return Promise.resolve(null)
-}
-
-return (
- importCertificate(cscLink, this.info.tempDirManager, this.projectDir)
- // before then
- .catch((e: any) => {
- if (e instanceof InvalidConfigurationError) {
- throw new InvalidConfigurationError(`Env WIN_CSC_LINK is not correct, cannot resolve: ${e.message}`)
- } else {
- throw e
- }
- })
- .then(path => {
- return {
- file: path,
- password: this.getCscPassword(),
- }
- })
-)
-
-}
-)]
** MemoLazy<WindowsConfiguration | | FileCodeSigningInfo | CertificateFromStoreInfo>
-
--
-
vm
= new Lazy<VmManager>(() => (process.platform === "win32" ? Promise.resolve(new VmManager()) : getWindowsVm(this.debugLogger)))
Lazy<module:app-builder-lib/out/vm/vm.VmManager>
-
--
-
**<code id="WinPackager-[computedPublisherName=new Lazy<Array | null>(async () => {
-const publisherName = this.platformSpecificBuildOptions.publisherName
-if (publisherName === null) {
-return null
-} else if (publisherName != null) {
-return asArray(publisherName)
-}
-const certInfo = await this.lazyCertInfo.value
-return certInfo == null ? null : [certInfo.commonName]
-})]">[computedPublisherName=new Lazy<Array | null>(async () => {
-const publisherName = this.platformSpecificBuildOptions.publisherName
-if (publisherName === null) {
-return null
-} else if (publisherName != null) {
-return asArray(publisherName)
-}
-const certInfo = await this.lazyCertInfo.value
-return certInfo == null ? null : [certInfo.commonName]
-})]
** Lazy< | Array>
-
--
-
**<code id="WinPackager-[lazyCertInfo=new MemoLazy<MemoLazy<WindowsConfiguration, FileCodeSigningInfo | CertificateFromStoreInfo | null>, CertificateInfo | null>(
-() => this.cscInfo,
-async csc => {
-const cscInfo = await csc.value
-if (cscInfo == null) {
-return null
-}
-if ("subject" in cscInfo) {
- const bloodyMicrosoftSubjectDn = cscInfo.subject
- return {
- commonName: parseDn(bloodyMicrosoftSubjectDn).get("CN")!,
- bloodyMicrosoftSubjectDn,
- }
-}
-
-const cscFile = cscInfo.file
-if (cscFile == null) {
- return null
-}
-return await getCertInfo(cscFile, cscInfo.password || "")
-
-}
-)]">[lazyCertInfo=new MemoLazy<MemoLazy<WindowsConfiguration, FileCodeSigningInfo | CertificateFromStoreInfo | null>, CertificateInfo | null>(
-() => this.cscInfo,
-async csc => {
-const cscInfo = await csc.value
-if (cscInfo == null) {
-return null
-}
-if ("subject" in cscInfo) {
- const bloodyMicrosoftSubjectDn = cscInfo.subject
- return {
- commonName: parseDn(bloodyMicrosoftSubjectDn).get("CN")!,
- bloodyMicrosoftSubjectDn,
- }
-}
-
-const cscFile = cscInfo.file
-if (cscFile == null) {
- return null
-}
-return await getCertInfo(cscFile, cscInfo.password || "")
-
-}
-)]
** MemoLazy<MemoLazy<WindowsConfiguration | | FileCodeSigningInfo | CertificateFromStoreInfo> | | module:app-builder-lib/out/codeSign/windowsCodeSign.CertificateInfo>
-
--
-
isForceCodeSigningVerification
Boolean
-
--
-
defaultTarget
Array<String>
-
+)] Lazy<module:app-builder-lib/out/codeSign/windowsSignAzureManager.WindowsSignAzureManager>
+isForceCodeSigningVerification
Boolean
+defaultTarget
Array<String>
Methods
- .WinPackager ⇐
PlatformPackager
.createTargets(targets, mapper)
+.doGetCscPassword()
⇒ undefined
| null
| String
.getIconPath()
⇒ Promise< | String>
.sign(file, logMessagePrefix)
⇒ Promise<Boolean>
.signAndEditResources(file, arch, outDir, internalName, requestedExecutionLevel)
⇒ Promise<void>
.artifactPatternConfig(targetSpecificOptions, defaultPattern)
⇒ module:app-builder-lib/out/platformPackager.__object
.computeSafeArtifactName(suggestedName, ext, arch, skipDefaultArch, defaultArch, safePattern)
⇒ null
| String
+.getCscLink(extraEnvName)
⇒ undefined
| null
| String
+.getCscPassword()
⇒ String
.getDefaultFrameworkIcon()
⇒ null
| String
.dispatchArtifactCreated(file, target, arch, safeArtifactName)
⇒ Promise<void>
.getElectronDestinationDir(appOutDir)
⇒ String
@@ -2478,7 +2404,10 @@ return await getCertInfo(cscFile, cscInfo.password || "")
-
+
+winPackager.doGetCscPassword()
⇒ undefined
| null
| String
+Overrides: doGetCscPassword
+
winPackager.getIconPath()
⇒ Promise< | String>
Overrides: getIconPath
@@ -2589,6 +2518,24 @@ return await getCertInfo(cscFile, cscInfo.password || "")
+
+winPackager.getCscLink(extraEnvName)
⇒ undefined
| null
| String
+
+
+
+Param
+Type
+
+
+
+
+extraEnvName
+String
| “undefined”
+
+
+
+
+winPackager.getCscPassword()
⇒ String
winPackager.getDefaultFrameworkIcon()
⇒ null
| String
diff --git a/docs/code-signing.md b/docs/code-signing.md
index 8b3f9ab2ab1..207d31b83da 100644
--- a/docs/code-signing.md
+++ b/docs/code-signing.md
@@ -4,9 +4,9 @@ Windows is dual code-signed (SHA1 & SHA256 hashing algorithms).
On a macOS development machine, a valid and appropriate identity from your keychain will be automatically used.
-!!! tip
+!!! tip
See article [Notarizing your Electron application](https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/).
-
+
| Env Name | Description
| -------------- | -----------
@@ -29,7 +29,7 @@ To sign an app on Windows, there are two types of certificates:
* EV Code Signing Certificate
* Code Signing Certificate
-Both certificates work with auto-update. The regular (and often cheaper) Code Signing Certificate shows a warning during installation that goes away once enough users installed your application and you've built up trust. The EV Certificate has more trust and thus works immediately without any warnings. However, it is not possible to export the EV Certificate as it is bound to a physical USB dongle. Thus, you can't export the certificate for signing code on a CI, such as AppVeyor.
+Both certificates work with auto-update. The regular (and often cheaper) Code Signing Certificate shows a warning during installation that goes away once enough users installed your application and you've built up trust. The EV Certificate has more trust and thus works immediately without any warnings. However, it is not possible to export the EV Certificate as it is bound to a physical USB dongle. Thus, you can't export the certificate for signing code on a CI, such as AppVeyor.
If you are using an EV Certificate, you need to provide [win.certificateSubjectName](configuration/win.md#WindowsConfiguration-certificateSubjectName) in your electron-builder configuration.
@@ -52,7 +52,7 @@ To sign app on build server you need to set `CSC_LINK`, `CSC_KEY_PASSWORD`:
In case of AppVeyor, don't forget to click on lock icon to “Toggle variable encryption”.
Keep in mind that Windows is not able to handle enviroment variable values longer than 8192 characters, thus if the base64 representation of your certificate exceeds that limit, try re-exporting the certificate without including all the certificates in the certification path (they are not necessary, but the Certificate Manager export wizard ticks the option by default), otherwise the encoded value will be truncated.
-
+
[1] `printf "%q\n" ""`
## Where to Buy Code Signing Certificate
@@ -75,10 +75,29 @@ Please note — Gatekeeper only recognises [Apple digital certificates](http://s
## How to Disable Code Signing During the Build Process on macOS
-To disable Code Signing when building for macOS leave all the above vars unset except for `CSC_IDENTITY_AUTO_DISCOVERY` which needs to be set to `false`. This can be done by running `export CSC_IDENTITY_AUTO_DISCOVERY=false`.
+To disable Code Signing when building for macOS leave all the above vars unset except for `CSC_IDENTITY_AUTO_DISCOVERY` which needs to be set to `false`. This can be done by running `export CSC_IDENTITY_AUTO_DISCOVERY=false`.
Another way — set `mac.identity` to `null`. You can pass aditional configuration using CLI as well: `-c.mac.identity=null`.
+## Using with Azure Trusted Signing (beta)
+
+To sign using Azure Tenant account, you'll need the following env variables set that are read directly by `Invoke-TrustedSigning` module; they are not parsed or resolved by electron-builder.
+
+!!! tip
+ Descriptions of each field can be found here: [Azure.Identity class - EnvironmentCredential Class](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet#definition)
+
+| Env Name | Description
+| -------------- | -----------
+| `AZURE_TENANT_ID` | See the Tip mentioned above.
+| `AZURE_CLIENT_ID` |
+| `AZURE_CLIENT_SECRET` |
+| `AZURE_CLIENT_CERTIFICATE_PATH` |
+| `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` |
+| `AZURE_USERNAME` |
+| `AZURE_PASSWORD` |
+
+`win.azureOptions` needs to be configured per [Microsoft's instructions](https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations#create-a-json-file) directly in electron-builder's configuration. Additional fields can be provided that are passed directly to `Invoke-TrustedSigning` powershell command.
+
## Alternative methods of codesigning
Codesigning via Electron Builder's configuration (via package.json) is not the only way to sign an application. Some people find it easier to codesign using a GUI tool. A couple of examples include:
diff --git a/docs/configuration/win.md b/docs/configuration/win.md
index d8c6a1b0306..99261b322a8 100644
--- a/docs/configuration/win.md
+++ b/docs/configuration/win.md
@@ -15,25 +15,59 @@ The top-level [win](configuration.md#Configuration-win) key contains set of opti
signingHashAlgorithms
= ['sha1', 'sha256']
Array<“sha256” | “sha1”> | “undefined” - Array of signing algorithms used. For AppX sha256
is always used.sign
String | (configuration: CustomWindowsSignTaskConfiguration) => Promise - The custom function (or path to file or module id) to sign Windows executable.certificateFile
String | “undefined” - The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable CSC_LINK
(WIN_CSC_LINK
) for some reason. Please see Code Signing.certificatePassword
String | “undefined” - The password to the certificate provided in certificateFile
. Please use it only if you cannot use env variable CSC_KEY_PASSWORD
(WIN_CSC_KEY_PASSWORD
) for some reason. Please see Code Signing.certificateSubjectName
String | “undefined” - The name of the subject of the signing certificate, which is often labeled with the field name issued to
. Required only for EV Code Signing and works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits).certificateSha1
String | “undefined” - The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits).additionalCertificateFile
String | “undefined” - The path to an additional certificate file you want to add to the signature block.rfc3161TimeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the RFC 3161 time stamp server.timeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the time stamp server.signingHashAlgorithms
Array<“sha256” | “sha1”> | “undefined” - Array of signing algorithms used. For AppX sha256
is always used. Deprecated:sign
String | (configuration: CustomWindowsSignTaskConfiguration) => Promise - The custom function (or path to file or module id) to sign Windows executables Deprecated:certificateFile
String | “undefined” - The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable CSC_LINK
(WIN_CSC_LINK
) for some reason. Please see Code Signing. Deprecated:certificatePassword
String | “undefined” - The password to the certificate provided in certificateFile
. Please use it only if you cannot use env variable CSC_KEY_PASSWORD
(WIN_CSC_KEY_PASSWORD
) for some reason. Please see Code Signing. Deprecated:certificateSubjectName
String | “undefined” - The name of the subject of the signing certificate, which is often labeled with the field name issued to
. Required only for EV Code Signing and works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits). Deprecated:certificateSha1
String | “undefined” - The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits). Deprecated:additionalCertificateFile
String | “undefined” - The path to an additional certificate file you want to add to the signature block. Deprecated:rfc3161TimeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the RFC 3161 time stamp server. Deprecated:timeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the time stamp server. Deprecated:publisherName
String | Array<String> | “undefined” - The publisher name, exactly as in your code signed certificate. Several names can be provided. Defaults to common name from your code signing certificate.publisherName
String | Array<String> | “undefined” - The publisher name, exactly as in your code signed certificate. Several names can be provided. Defaults to common name from your code signing certificate. Deprecated:signtoolOptions
WindowsSigntoolConfiguration | “undefined” - Options for usage with signtool.exeazureSignOptions
WindowsAzureSigningConfiguration | “undefined” - Options for usage of Azure Trusted Signing (beta)verifyUpdateCodeSignature
= true
Boolean - Whether to verify the signature of an available update before installation. The publisher name will be used for the signature verification.requestedExecutionLevel
= asInvoker
“asInvoker” | “highestAvailable” | “requireAdministrator” | “undefined” - The security level at which the application requests to be executed. Cannot be specified per target, allowed only in the win
.signAndEditExecutable
= true
Boolean - Whether to sign and add metadata to executable. Advanced option.signDlls
= false
Boolean - Whether to sign DLL files. Advanced option. See: https://github.com/electron-userland/electron-builder/issues/3101#issuecomment-404212384 Deprecated:signExts
Array<String> | “undefined” - Explicit file extensions to also sign. Advanced option. See: https://github.com/electron-userland/electron-builder/issues/7329Also allows custom fields [k: string: string]
passed verbatim (case sensitive) to Invoke-TrustedSigning
endpoint
String - The Trusted Signing Account endpoint. The URI value must have a URI that aligns to the region your Trusted Signing Account and Certificate Profile you are specifying were created in during the setup of these resources.
Translates to field: Endpoint
+Requires one of environment variable configurations for authenticating to Microsoft Entra ID per Microsoft’s documentation
+certificateProfileName
String - The Certificate Profile name. Translates to field: CertificateProfileName
undefined
+sign
module:app-builder-lib/out/codeSign/windowsSignToolManager.__type | String | “undefined” - The custom function (or path to file or module id) to sign Windows executablessigningHashAlgorithms
= ['sha1', 'sha256']
Array<“sha256” | “sha1”> | “undefined” - Array of signing algorithms used. For AppX sha256
is always used.certificateFile
String | “undefined” - The path to the *.pfx certificate you want to sign with. Please use it only if you cannot use env variable CSC_LINK
(WIN_CSC_LINK
) for some reason. Please see Code Signing.certificatePassword
String | “undefined” - The password to the certificate provided in certificateFile
. Please use it only if you cannot use env variable CSC_KEY_PASSWORD
(WIN_CSC_KEY_PASSWORD
) for some reason. Please see Code Signing.certificateSubjectName
String | “undefined” - The name of the subject of the signing certificate, which is often labeled with the field name issued to
. Required only for EV Code Signing and works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits).certificateSha1
String | “undefined” - The SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches. Works only on Windows (or on macOS if Parallels Desktop Windows 10 virtual machines exits).additionalCertificateFile
String | “undefined” - The path to an additional certificate file you want to add to the signature block.rfc3161TimeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the RFC 3161 time stamp server.timeStampServer
= http://timestamp.digicert.com
String | “undefined” - The URL of the time stamp server.publisherName
String | Array<String> | “undefined” - The publisher name, exactly as in your code signed certificate. Several names can be provided. Defaults to common name from your code signing certificate.