Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72 #2976
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkarolin
added
CI/skip-android
simonhong
reviewed
Jul 23, 2019
mkarolin
removed
CI/skip-android
mkarolin
force-pushed
the
76.0.3809.72
branch
2 times, most recently
from
7cb1994
to
a11f747
Compare
mkarolin
commented
Jul 23, 2019
| An instance of |model.CodeSignConfig|. | ||
| """ | ||
| config_class = config.CodeSignConfig | ||
| + """ |
There was a problem hiding this comment.
This section needs to be commented out because identity and keychain below used to be passed into create_config as parameters, but now are packed into config_args parameter. Chromium probably never runs into error here because they successfully import their secret internal config and don't have an exception in the try.
There was a problem hiding this comment.
I think we can still use this as you do in the sign_brave.py. I'm porting their recent changes from sign_chrome.py to your sign_brave.py and I think that will work as you did before which is basically removing the section where they do the import of their config.
There was a problem hiding this comment.
It's the section where they do the import of their config that I commented out here in the patch, not the config_class, github's snippet isn't helping here.
simonhong
reviewed
Jul 23, 2019
mkarolin
force-pushed
the
76.0.3809.72
branch
2 times, most recently
from
33972b9
to
872eb82
Compare
28 tasks
mkarolin
force-pushed
the
76.0.3809.72
branch
3 times, most recently
from
20f75ba
to
79799d9
Compare
mkarolin
changed the title
- Changes dependency from chrome_helper_app to chrome_helper_app_default since there are now mulitple 'chrome_helper_app's. - Clears output directory from path created by GN but not expected by the signing script. Chromium changes: https://chromium.googlesource.com/chromium/src/+/4be2698e4784 commit 4be2698e4784b68198d1062a54942ae232c57c24 Author: Robert Sesek <rsesek@chromium.org> Date: Mon Jun 17 17:41:28 2019 +0000 Create more Mac Helper application bundles. In order to enable the hardened runtime, which restricts things such as writable-executable memory and loading code signed by a different Team ID, special code signing entitlements must be granted to the Helper. To keep the capabilities scoped to the process types that require them, this CL adds two new variants of the Helper app: one for renderers and one for plugins. Currently all three Helpers will be code signed in the same way without any entitlements, but this will change in the future. Tbr: dschuff@chromium.org Bug: 850193 which is rolled into c76 with: https://chromium.googlesource.com/chromium/src/+/194826d6f8a3a0d932e18ed0f5452fd5c488e490 commit 194826d6f8a3a0d932e18ed0f5452fd5c488e490 Author: Robert Sesek <rsesek@chromium.org> Date: Wed Jul 17 22:28:42 2019 +0000 [BRANCH ONLY] Roll-up cherry pick of changes to notarize Chrome on macOS. App notarization is going to be required on macOS 10.15, which is expected to be released when M76 is on stable channel. This series of changes makes modifications to Chrome's helper processes, adding multiple variants with different code signing entitlements, as well as changes to the signing scripts to support notarization. This cherry-picks the following 15 commits to the M76/3809 branch: 7f66190e7365 [Mac] Stop pretending that browser_tests/InProcessBrowserTest are bundled. ceaa2666e0eb Grant the browser several entitlements needed for the hardened runtime. 4be2698e4784 Create more Mac Helper application bundles. 3fa9da4e877a Give the new Mac helper variants the entitlements they require. 4aa3a22f4387 Code sign all Mac executables with the hardened runtime option. 4f72ae052e11 [Mac] Run the proxy_resolver service in the Renderer helper. c2b068a99ae2 Copy KeystoneRegistration.framework with a bundle_data rule for the root. 4f6b2b188f29 [Mac] Delete CFBundleBlocker and third_party/mach_override. 2f8e936c6909 macOS Signing Scripts: Add module responsible for notarization. 62d2a3f09545 macOS Signing Scripts: Drop support for resource rules. ec608fec2fd1 macOS Signing Scripts: Create the notarization sentinel file. 91b8140d5cb0 macOS Signing Scripts: Run the notarization stapler through xcrun. 4312c1f9a695 macOS Signing Scripts: Do not staple the AlertNotificationService.xpc bundle. 59347283139c macOS Signing Scripts: Write "yes-1" to the notarization sentinel file. 4d22852510f5 Mac: Sign the inner framework only once per bundle ID Bug: 850199
Fixes brave/brave-browser#4922 Fixes brave/brave-browser#5036 Rolls a couple of patches into a single function in script/signing_helper.py. Use single import directive. Generate Widevine signature file before signing framework part.
Instead of using a modified copy of sign_chrome.py (named sign_brave.py) leverage the original sign_chrome.py by patching it to call into brave's signing_helper.py for a config override. The patch also comments out a section of sign_chrome.py that causes a runtime error due to wrong variables names.
mkarolin
commented
Jul 24, 2019
|
|
||
| # Invoke python script to do the signing. | ||
| PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg --no-notarize" |
There was a problem hiding this comment.
@mbacchi, chrome/installer/mac/sign_chrome.py now takes --notarize/--no-notarize, --notary-user, and --notary-password arguments. Possibly, we can use their script for notarization? We aren't creating dmg in this step, so it would have to be notarized separately.
There was a problem hiding this comment.
That's the approach I'm taking right now, I'm trying to leverage their scripts as much as possible. I'm getting close to something that I can get your opinion on.
|
Passed CI, ready for review. |
This was referenced Jul 25, 2019
4 tasks
bsclifton
added a commit
that referenced
this pull request
Jul 26, 2019
Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72
bsclifton
added a commit
that referenced
this pull request
Jul 26, 2019
Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72
bsclifton
added a commit
that referenced
this pull request
Jul 26, 2019
Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72
bsclifton
added a commit
that referenced
this pull request
Jul 30, 2019
Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72
bsclifton
added a commit
that referenced
this pull request
Jul 30, 2019
Upgrade patches from Chromium 76.0.3809.62 to Chromium 76.0.3809.72
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes brave/brave-browser#5299
Related PR: brave/brave-browser#5364
Submitter Checklist:
npm run lint)git rebase master(if needed).git rebase -ito squash commits (if needed).Test Plan:
Reviewer Checklist:
After-merge Checklist:
changes has landed on.