diff --git a/app/mac/BUILD.gn b/app/mac/BUILD.gn
index a1739c7d7fb6..3cdc1262d377 100644
--- a/app/mac/BUILD.gn
+++ b/app/mac/BUILD.gn
@@ -54,7 +54,7 @@ action("generate_breakpad_symbols") {
deps = [
"//brave:chrome_app",
"//chrome:chrome_framework",
- "//chrome:chrome_helper_app",
+ "//chrome:chrome_helper_app_default",
"//chrome:chrome_dump_syms",
"//third_party/crashpad/crashpad/handler:crashpad_handler",
"//third_party/breakpad:dump_syms",
diff --git a/build/mac/sign_app.sh b/build/mac/sign_app.sh
index f3d4d53056e2..33d7f3f9240e 100755
--- a/build/mac/sign_app.sh
+++ b/build/mac/sign_app.sh
@@ -11,10 +11,12 @@ SOURCE_DIR="${1}"
DEST_DIR="${2}"
PKG_DIR="${3}"
DEVELOPMENT=
+MAC_PROVISIONING_PROFILE=
if [[ "${4}" = "True" ]]; then
- DEVELOPMENT="--development"
+ DEVELOPMENT="--development"
+else
+ MAC_PROVISIONING_PROFILE="${5}"
fi
-MAC_PROVISIONING_PROFILE="${5}"
MAC_SIGNING_KEYCHAIN="${6}"
MAC_SIGNING_IDENTIFIER="${7}"
@@ -36,16 +38,23 @@ function check_exit() {
trap check_exit EXIT
-# Copy signing script to the packaging directory
-SCRIPT_DIR=$(dirname ${0})
-cp -f "${SCRIPT_DIR}/sign_brave.py" "${PKG_DIR}"
+# brave/scripts/signing_helper.py will retrieve this value when called from
+# sign_chrome.py
+export MAC_PROVISIONING_PROFILE
+
+# Clear output directory. It seems GN auto-creates directory path to the
+# expected outputs. However, the signing script doesn't expect the path to
+# have been created and fails trying to create it again.
+echo "Cleaning $DEST_DIR ..."
+rm -rf $DEST_DIR/*
# Invoke python script to do the signing.
+PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg --no-notarize"
if [[ -z "${DEVELOPMENT}" ]]; then
# Copy mac_provisioning_profile to the packaging_dir since that's where the
# signing scripts expects to find it.
cp -f "$MAC_PROVISIONING_PROFILE" "$PKG_DIR"
- "${PKG_DIR}/sign_brave.py" --input "$SOURCE_DIR" --output "$DEST_DIR" --keychain "$MAC_SIGNING_KEYCHAIN" --identity "$MAC_SIGNING_IDENTIFIER" --no-dmg --provisioning-profile "$MAC_PROVISIONING_PROFILE"
else
- "${PKG_DIR}/sign_brave.py" --input "$SOURCE_DIR" --output "$DEST_DIR" --keychain "$MAC_SIGNING_KEYCHAIN" --identity "$MAC_SIGNING_IDENTIFIER" --no-dmg "$DEVELOPMENT"
+ PARAMS="$PARAMS $DEVELOPMENT"
fi
+"${PKG_DIR}/sign_chrome.py" $PARAMS
diff --git a/build/mac/sign_brave.py b/build/mac/sign_brave.py
deleted file mode 100755
index 04064b80fa00..000000000000
--- a/build/mac/sign_brave.py
+++ /dev/null
@@ -1,123 +0,0 @@
-#!/usr/bin/env python
-# Copyright (c) 2019 The Brave Authors. All rights reserved.
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this file,
-# You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# This script is a modified version of chrome/installer/mac/sign_chrome.py
-# that allows to configure provisioning profile on the fly and also adds
-# sparkle to optional parts for signing.
-
-import argparse
-import os.path
-import shutil
-import sys
-
-sys.path.append(os.path.dirname(__file__))
-
-from signing import config, model, pipeline
-
-
-def create_config(identity, keychain, development, provisioning_profile):
- """Creates the |model.CodeSignConfig| for the signing operations.
-
- If |development| is True, the config will be modified to not require
- restricted internal assets, nor will the products be required to match
- specific certificate hashes.
-
- Args:
- identity: The code signing identity to use.
- keychain: Optional path to the keychain file, in which |identity|
- will be searched for.
- development: Boolean indicating whether or not to modify the chosen
- config for development testing.
- provisioning_profile: The path to provisioning profile file.
-
- Returns:
- An instance of |model.CodeSignConfig|.
- """
- config_class = config.CodeSignConfig
-
- if development:
-
- class DevelopmentCodeSignConfig(config_class):
-
- @property
- def codesign_requirements_basic(self):
- return ''
-
- @property
- def provisioning_profile_basename(self):
- return None
-
- @property
- def run_spctl_assess(self):
- return False
-
- config_class = DevelopmentCodeSignConfig
-
- else:
-
- class ProvisioningProfileCodeSignConfig(config_class):
-
- @property
- def provisioning_profile_basename(self):
- return os.path.splitext(
- os.path.basename(provisioning_profile))[0]
-
- @property
- def optional_parts(self):
- return set(('libwidevinecdm.dylib',
- 'sparkle-framework',))
-
- @property
- def run_spctl_assess(self):
- return True
-
- config_class = ProvisioningProfileCodeSignConfig
-
- return config_class(identity, keychain)
-
-
-def main():
- parser = argparse.ArgumentParser(
- description='Code sign and package Brave for channel distribution.')
- parser.add_argument(
- '--keychain', help='The keychain to load the identity from.')
- parser.add_argument(
- '--identity', required=True, help='The identity to sign with.')
- parser.add_argument('--development', action='store_true',
- help='The specified identity is for development. ' \
- 'Certain codesign requirements will be omitted.')
- parser.add_argument('--input', required=True,
- help='Path to the input directory. The input directory should ' \
- 'contain the products to sign, as well as the Packaging ' \
- 'directory.')
- parser.add_argument('--output', required=True,
- help='Path to the output directory. The signed DMG products and ' \
- 'installer tools will be placed here.')
- parser.add_argument(
- '--no-dmg',
- action='store_true',
- help='Only sign Brave and do not package the bundle into a DMG.')
- parser.add_argument('--provisioning-profile',
- help='The path to the provisioning profile file')
- args = parser.parse_args()
-
- config = create_config(args.identity, args.keychain, args.development,
- args.provisioning_profile)
- paths = model.Paths(args.input, args.output, None)
-
- if not os.path.exists(paths.output):
- os.mkdir(paths.output)
- else:
- if args.no_dmg:
- dest_dir = os.path.join(paths.output, config.dmg_basename)
- if os.path.exists(dest_dir):
- shutil.rmtree(dest_dir)
-
- pipeline.sign_all(paths, config, package_dmg=not args.no_dmg)
-
-
-if __name__ == '__main__':
- main()
diff --git a/patches/chrome-BUILD.gn.patch b/patches/chrome-BUILD.gn.patch
index aad7ab2c68a4..3b1e6b7f888b 100644
--- a/patches/chrome-BUILD.gn.patch
+++ b/patches/chrome-BUILD.gn.patch
@@ -1,8 +1,8 @@
diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn
-index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b8c4a1956 100644
+index 39a8e6fded4b9f9c3c8b5c0bb9f50e919a577545..6708b39ed56ab8dc2cf593b5a79abe17b12ed2a2 100644
--- a/chrome/BUILD.gn
+++ b/chrome/BUILD.gn
-@@ -189,6 +189,10 @@ if (!is_android && !is_mac) {
+@@ -190,6 +190,10 @@ if (!is_android && !is_mac) {
"common/crash_keys.cc",
"common/crash_keys.h",
]
@@ -13,7 +13,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
deps += [
":chrome_dll",
-@@ -288,6 +292,7 @@ if (!is_android && !is_mac) {
+@@ -289,6 +293,7 @@ if (!is_android && !is_mac) {
"//headless:headless_shell_lib",
"//services/service_manager/embedder",
]
@@ -21,7 +21,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
public_deps = [
":xdg_mime", # Needs to be public for installer to consume files.
-@@ -434,6 +439,7 @@ if (is_win) {
+@@ -435,6 +440,7 @@ if (is_win) {
"//third_party/wtl",
"//ui/views",
]
@@ -29,7 +29,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
ldflags = [
"/DELAYLOAD:advapi32.dll",
-@@ -568,6 +574,7 @@ if (is_win) {
+@@ -569,6 +575,7 @@ if (is_win) {
"//headless:headless_shell_child_lib",
"//services/service_manager/embedder",
]
@@ -37,7 +37,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
ldflags = [
"/DELAYLOAD:comctl32.dll",
-@@ -680,6 +687,11 @@ if (is_win) {
+@@ -681,6 +688,11 @@ if (is_win) {
]
}
@@ -49,7 +49,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
mac_app_bundle("chrome_app") {
output_name = chrome_product_full_name
-@@ -713,6 +725,7 @@ if (is_win) {
+@@ -714,6 +726,7 @@ if (is_win) {
rebase_path("app/app.exports", root_build_dir) ]
}
}
@@ -57,7 +57,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
compiled_action("chrome_app_strings") {
tool = "//chrome/tools/build/mac:infoplist_strings_tool"
-@@ -742,7 +755,7 @@ if (is_win) {
+@@ -743,7 +756,7 @@ if (is_win) {
args =
[
"-b",
@@ -66,7 +66,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
"-v",
rebase_path(chrome_version_file, root_build_dir),
"-g",
-@@ -823,7 +836,7 @@ if (is_win) {
+@@ -824,7 +837,7 @@ if (is_win) {
# framework itself, that would cause a cyclical dependency. Instead,
# this dependency directly copies the file into the framework's
# resources directory.
@@ -75,7 +75,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
}
}
-@@ -1222,6 +1235,7 @@ if (is_win) {
+@@ -1250,6 +1263,7 @@ if (is_win) {
"//services/service_manager/embedder",
"//third_party/cld_3/src/src:cld_3",
]
@@ -83,7 +83,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
if (is_component_build) {
libs = [ "Carbon.framework" ]
-@@ -1286,6 +1300,10 @@ if (is_win) {
+@@ -1314,6 +1328,10 @@ if (is_win) {
if (is_chrome_branded) {
deps += [ ":default_apps" ]
}
@@ -94,7 +94,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
ldflags = [ "-Wl,-install_name,@executable_path/../Frameworks/$chrome_framework_name.framework/Versions/$chrome_version_full/$chrome_framework_name" ]
-@@ -1446,6 +1464,7 @@ if (is_win) {
+@@ -1484,6 +1502,7 @@ if (is_win) {
group("browser_dependencies") {
public_deps = [
@@ -102,7 +102,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
"//chrome/browser",
"//chrome/common",
"//components/gwp_asan/buildflags",
-@@ -1519,13 +1538,14 @@ group("child_dependencies") {
+@@ -1557,13 +1576,14 @@ group("child_dependencies") {
# this is OK because all of content is linked into one library.
"//content/browser",
]
@@ -118,7 +118,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
]
output = "$target_gen_dir/chrome_exe_version.rc"
}
-@@ -1598,6 +1618,7 @@ group("resources") {
+@@ -1636,6 +1656,7 @@ group("resources") {
"//chrome/browser:resources",
"//chrome/common:resources",
"//chrome/renderer:resources",
@@ -126,7 +126,7 @@ index 7b277dc44034b556594bf47736d3ea95e85d2ac2..c77b47711636c6cf5ab6abdea21abf1b
]
}
-@@ -1849,6 +1870,7 @@ if (is_android) {
+@@ -1887,6 +1908,7 @@ if (is_android) {
"//content/public/common:service_names",
"//services/service_manager/embedder",
]
diff --git a/patches/chrome-VERSION.patch b/patches/chrome-VERSION.patch
index 227f173a95e9..79f3444fb615 100644
--- a/patches/chrome-VERSION.patch
+++ b/patches/chrome-VERSION.patch
@@ -1,11 +1,11 @@
diff --git a/chrome/VERSION b/chrome/VERSION
-index e05d1f3aaf621bae4c2448a8dd9ee80a90b2321b..6f14cd915f02f2a05d0d78ad5fba93f7ae33267d 100644
+index 556db09bacc7ecdd8fefe44172fcd20866c2c7fc..4caee6d1e089996ef39511610a955ee6f387e5c8 100644
--- a/chrome/VERSION
+++ b/chrome/VERSION
@@ -1,4 +1,4 @@
MAJOR=76
MINOR=0
-BUILD=3809
--PATCH=62
+-PATCH=72
+BUILD=69
+PATCH=96
diff --git a/patches/chrome-browser-permissions-permission_request.h.patch b/patches/chrome-browser-permissions-permission_request.h.patch
index 62b46e3b140a..81c655ef7f00 100644
--- a/patches/chrome-browser-permissions-permission_request.h.patch
+++ b/patches/chrome-browser-permissions-permission_request.h.patch
@@ -1,5 +1,5 @@
diff --git a/chrome/browser/permissions/permission_request.h b/chrome/browser/permissions/permission_request.h
-index 6daa247ce558241db33a1d1ae0187f14631cc842..dcbfa42bd87013619a7a54a2597487e479338ce3 100644
+index 6daa247ce558241db33a1d1ae0187f14631cc842..1bd4ae483d9803262a61fc7e6196848aa814ec54 100644
--- a/chrome/browser/permissions/permission_request.h
+++ b/chrome/browser/permissions/permission_request.h
@@ -45,6 +45,7 @@ enum class PermissionRequestType {
diff --git a/patches/chrome-browser-profiles-profile.cc.patch b/patches/chrome-browser-profiles-profile.cc.patch
index 42edd12f3994..a1fe406766b6 100644
--- a/patches/chrome-browser-profiles-profile.cc.patch
+++ b/patches/chrome-browser-profiles-profile.cc.patch
@@ -1,5 +1,5 @@
diff --git a/chrome/browser/profiles/profile.cc b/chrome/browser/profiles/profile.cc
-index 71d736c9eaf3503e532d72c410f4d4dadff372cd..f278991246e40b894418cd05f9a5fb6fb192c5a5 100644
+index 71d736c9eaf3503e532d72c410f4d4dadff372cd..39114245329d5767f8b51a5c9120c76038018d04 100644
--- a/chrome/browser/profiles/profile.cc
+++ b/chrome/browser/profiles/profile.cc
@@ -140,7 +140,7 @@ const char Profile::kProfileKey[] = "__PROFILE__";
diff --git a/patches/chrome-browser-ui-views-location_bar-location_bar_view.cc.patch b/patches/chrome-browser-ui-views-location_bar-location_bar_view.cc.patch
index 24b01abed03e..ac1b24b5b461 100644
--- a/patches/chrome-browser-ui-views-location_bar-location_bar_view.cc.patch
+++ b/patches/chrome-browser-ui-views-location_bar-location_bar_view.cc.patch
@@ -1,5 +1,5 @@
diff --git a/chrome/browser/ui/views/location_bar/location_bar_view.cc b/chrome/browser/ui/views/location_bar/location_bar_view.cc
-index 4fab5d0fd6bc6b6c47f4174dc1f611ba79610589..ba50e1396991f7f852c2007dbb9543f9b4b83990 100644
+index 4fab5d0fd6bc6b6c47f4174dc1f611ba79610589..33ed86ccfadb68cbb2b0b6f321b59de995a2002c 100644
--- a/chrome/browser/ui/views/location_bar/location_bar_view.cc
+++ b/chrome/browser/ui/views/location_bar/location_bar_view.cc
@@ -443,7 +443,7 @@ void LocationBarView::OnKeywordFaviconFetched(const gfx::Image& icon) {
diff --git a/patches/chrome-common-BUILD.gn.patch b/patches/chrome-common-BUILD.gn.patch
index fe8215016d6b..a077ec4640e5 100644
--- a/patches/chrome-common-BUILD.gn.patch
+++ b/patches/chrome-common-BUILD.gn.patch
@@ -1,5 +1,5 @@
diff --git a/chrome/common/BUILD.gn b/chrome/common/BUILD.gn
-index 81c957087e6adbfe78208035cf52052c93a1e978..445736d844a330a10c9c8da392fe6a10790a2ce0 100644
+index 15dcd3acac69be8ec9ec5f8f2eb9e0f6b68c88fd..944f5f34ebbf89bc5bec61e86cfcf962af1593ca 100644
--- a/chrome/common/BUILD.gn
+++ b/chrome/common/BUILD.gn
@@ -78,6 +78,7 @@ source_set("channel_info") {
@@ -10,7 +10,7 @@ index 81c957087e6adbfe78208035cf52052c93a1e978..445736d844a330a10c9c8da392fe6a10
}
source_set("ini_parser") {
-@@ -210,6 +211,7 @@ static_library("common") {
+@@ -208,6 +209,7 @@ static_library("common") {
]
public_deps = [
@@ -18,7 +18,7 @@ index 81c957087e6adbfe78208035cf52052c93a1e978..445736d844a330a10c9c8da392fe6a10
":available_offline_content_mojom",
":buildflags",
":channel_info",
-@@ -548,6 +550,7 @@ static_library("non_code_constants") {
+@@ -543,6 +545,7 @@ static_library("non_code_constants") {
"//printing/buildflags",
"//ui/base:buildflags",
]
diff --git a/patches/chrome-installer-mac-sign_chrome.py.patch b/patches/chrome-installer-mac-sign_chrome.py.patch
new file mode 100644
index 000000000000..5ec3a20582d9
--- /dev/null
+++ b/patches/chrome-installer-mac-sign_chrome.py.patch
@@ -0,0 +1,29 @@
+diff --git a/chrome/installer/mac/sign_chrome.py b/chrome/installer/mac/sign_chrome.py
+index fa3a88200f5156975d0da5bcc52ed6f9896e792e..9068adc58127d24f50f47b3f1f939e2b6feaef69 100755
+--- a/chrome/installer/mac/sign_chrome.py
++++ b/chrome/installer/mac/sign_chrome.py
+@@ -28,6 +28,7 @@ def create_config(config_args, development):
+ An instance of |model.CodeSignConfig|.
+ """
+ config_class = config.CodeSignConfig
++ """
+ try:
+ import signing.internal_config
+ config_class = signing.internal_config.InternalCodeSignConfig
+@@ -36,6 +37,7 @@ def create_config(config_args, development):
+ # internal config has to be available.
+ if config_class(identity, keychain).product == 'Google Chrome':
+ raise e
++ """
+
+ if development:
+
+@@ -55,6 +57,8 @@ def create_config(config_args, development):
+
+ config_class = DevelopmentCodeSignConfig
+
++ from signing_helper import GetBraveSigningConfig
++ config_class = GetBraveSigningConfig(config_class, development)
+ return config_class(*config_args)
+
+
diff --git a/patches/chrome-installer-mac-signing-pipeline.py.patch b/patches/chrome-installer-mac-signing-pipeline.py.patch
index b4226c3136e8..9bb099c52403 100644
--- a/patches/chrome-installer-mac-signing-pipeline.py.patch
+++ b/patches/chrome-installer-mac-signing-pipeline.py.patch
@@ -1,8 +1,8 @@
diff --git a/chrome/installer/mac/signing/pipeline.py b/chrome/installer/mac/signing/pipeline.py
-index ac3cd9f6b28570410730f8aaaf98b3f7ce468320..6d49ec610df9b9550e1eb2d6febd431eb6e2a724 100644
+index f8318c3b2a940b1ea2bc2b4ffc06550654d8e0c5..4d7926df4fb9b5093768e1823c78bab4d0d24364 100644
--- a/chrome/installer/mac/signing/pipeline.py
+++ b/chrome/installer/mac/signing/pipeline.py
-@@ -85,7 +85,6 @@ def _package_installer_tools(paths, config):
+@@ -219,7 +219,6 @@ def _package_installer_tools(paths, config):
'dirdiffer.sh',
'dirpatcher.sh',
'dmgdiffer.sh',
diff --git a/patches/chrome-installer-mac-signing-signing.py.patch b/patches/chrome-installer-mac-signing-signing.py.patch
index 8299ec7517d8..cff49e01c46b 100644
--- a/patches/chrome-installer-mac-signing-signing.py.patch
+++ b/patches/chrome-installer-mac-signing-signing.py.patch
@@ -1,49 +1,47 @@
diff --git a/chrome/installer/mac/signing/signing.py b/chrome/installer/mac/signing/signing.py
-index ddd5aeef9dafb3e80ad20a7481c4f8ebb418493d..2fda1db466d960856ad397fb8fe97992871fbcec 100644
+index de69f7ba6cca5729ab83ff076211be36354d0f60..875803bff951845a97cb771d445b272113a5ed91 100644
--- a/chrome/installer/mac/signing/signing.py
+++ b/chrome/installer/mac/signing/signing.py
-@@ -42,7 +42,6 @@ def get_parts(config):
- options=CodeSignOptions.RESTRICT,
- requirements=config.codesign_requirements_outer_app,
- identifier_requirement=False,
-- resource_rules='app_resource_rules.plist',
- entitlements='app-entitlements.plist',
- verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT),
- 'framework':
-@@ -82,9 +81,17 @@ def get_parts(config):
- options=CodeSignOptions.RESTRICT +
- CodeSignOptions.LIBRARY_VALIDATION,
- verify_options=VerifyOptions.IGNORE_RESOURCES),
-+ 'sparkle-framework':
-+ CodeSignedProduct(
-+ '{.framework_dir}/Frameworks/Sparkle.framework'
-+ .format(config),
-+ 'org.sparkle-project.Sparkle',
-+ verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT),
- }
+@@ -11,6 +11,7 @@ import os.path
- dylibs = (
-+ 'libchallenge_bypass_ristretto.dylib',
-+ 'libadblock.dylib',
- 'libEGL.dylib',
- 'libGLESv2.dylib',
- 'libswiftshader_libEGL.dylib',
-@@ -141,7 +148,7 @@ def sign_part(paths, config, part):
+ from . import commands
+ from .model import CodeSignOptions, CodeSignedProduct, VerifyOptions
++from signing_helper import AddBravePartsForSigning, GenerateBraveWidevineSigFile
+
+ _PROVISIONPROFILE_EXT = '.provisionprofile'
+ _PROVISIONPROFILE_DEST = 'embedded.provisionprofile'
+@@ -76,7 +77,8 @@ def get_parts(config):
+ '{0.framework_dir}/Helpers/{0.product} Helper.app'.format(
+ config),
+ '{}.helper'.format(uncustomized_bundle_id),
+- options=full_hardened_runtime_options,
++ options=CodeSignOptions.RESTRICT + CodeSignOptions.KILL +
++ CodeSignOptions.HARDENED_RUNTIME,
+ verify_options=VerifyOptions.DEEP),
+ 'helper-renderer-app':
+ CodeSignedProduct(
+@@ -124,6 +126,7 @@ def get_parts(config):
+ library_basename.replace('.dylib', ''),
+ verify_options=VerifyOptions.DEEP)
+
++ AddBravePartsForSigning(parts, config)
+ return parts
+
+
+@@ -168,7 +171,7 @@ def sign_part(paths, config, part):
part: The |model.CodeSignedProduct| to sign. The product's |path| must
be in |paths.work|.
"""
- command = ['codesign', '--sign', config.identity]
+ command = ['codesign', '--force', '--sign', config.identity]
- if part.sign_with_identifier:
- command.extend(['--identifier', part.identifier])
- reqs = part.requirements_string(config)
-@@ -231,6 +238,9 @@ def sign_chrome(paths, config):
+ if config.notary_user:
+ # Assume if the config has notary authentication information that the
+ # products will be notarized, which requires a secure timestamp.
+@@ -260,6 +263,7 @@ def sign_chrome(paths, config, sign_framework=False):
+ continue
+ sign_part(paths, config, part)
- # Sign the framework bundle.
- sign_part(paths, config, parts['framework'])
-+ from signing_helper import GenerateWidevineSigFile
-+ GenerateWidevineSigFile(paths, config, parts['framework'])
-+ sign_part(paths, config, parts['framework'])
++ GenerateBraveWidevineSigFile(paths, config, parts['framework'])
+ # Sign the framework bundle.
+ sign_part(paths, config, parts['framework'])
- provisioning_profile_basename = config.provisioning_profile_basename
- if provisioning_profile_basename:
diff --git a/patches/chrome-test-BUILD.gn.patch b/patches/chrome-test-BUILD.gn.patch
index 47974060d001..6b1c20a0b6e5 100644
--- a/patches/chrome-test-BUILD.gn.patch
+++ b/patches/chrome-test-BUILD.gn.patch
@@ -1,5 +1,5 @@
diff --git a/chrome/test/BUILD.gn b/chrome/test/BUILD.gn
-index d637b306110b4adfb1f4b85be3491949a98803c5..4f4b52000f56c4b41963df094cac280fc3510802 100644
+index faacc5e21894b5227f7e9a26f4fad9b477d215d4..da817ea0dc5555c2b6e7915f35a71d25ae336c7f 100644
--- a/chrome/test/BUILD.gn
+++ b/chrome/test/BUILD.gn
@@ -591,6 +591,7 @@ if (!is_android) {
@@ -9,4 +9,4 @@ index d637b306110b4adfb1f4b85be3491949a98803c5..4f4b52000f56c4b41963df094cac280f
+ deps += [ "//brave/test:brave_browser_tests_deps", ]
# Runtime dependencies
data_deps = [
- "//ppapi:ppapi_tests",
+ "//chrome/browser/resources/media/mei_preload:component",
diff --git a/patches/content-common-BUILD.gn.patch b/patches/content-common-BUILD.gn.patch
index 9b542f5594e0..74e2a2663f1e 100644
--- a/patches/content-common-BUILD.gn.patch
+++ b/patches/content-common-BUILD.gn.patch
@@ -1,8 +1,8 @@
diff --git a/content/common/BUILD.gn b/content/common/BUILD.gn
-index 53896298b41c20a40d0036874d63e302b1ed1922..0a823c5eb005007a289a1292074306358d6ceda6 100644
+index a5a15ca2363e56d1eea2b184c2ea7070dc860368..f8153ffa72966934d68abab556dd7406c0a37f52 100644
--- a/content/common/BUILD.gn
+++ b/content/common/BUILD.gn
-@@ -31,7 +31,7 @@ source_set("common") {
+@@ -32,7 +32,7 @@ source_set("common") {
# In addition, targets outside of the content component (shell and tests)
# must not link to this because it will duplicate the code in the component
# build.
diff --git a/patches/content-public-browser-content_browser_client.h.patch b/patches/content-public-browser-content_browser_client.h.patch
index faf853746fd4..4bba3a9424bd 100644
--- a/patches/content-public-browser-content_browser_client.h.patch
+++ b/patches/content-public-browser-content_browser_client.h.patch
@@ -1,8 +1,8 @@
diff --git a/content/public/browser/content_browser_client.h b/content/public/browser/content_browser_client.h
-index 1a16897afa4457319518bce5341a6e1416bd016e..b65e5c2b224a65f509bc5124ae356a0064c56b7a 100644
+index a2ef727d3a61985e84782e4517fb9d354aa203ef..832da8216dfb51373de82d93def8731d79884590 100644
--- a/content/public/browser/content_browser_client.h
+++ b/content/public/browser/content_browser_client.h
-@@ -1529,6 +1529,14 @@ class CONTENT_EXPORT ContentBrowserClient {
+@@ -1542,6 +1542,14 @@ class CONTENT_EXPORT ContentBrowserClient {
virtual ui::AXMode GetAXModeForBrowserContext(
BrowserContext* browser_context);
diff --git a/patches/services-service_manager-sandbox-win-sandbox_win.cc.patch b/patches/services-service_manager-sandbox-win-sandbox_win.cc.patch
index e96efdbfd7c1..3e79d9d39d99 100644
--- a/patches/services-service_manager-sandbox-win-sandbox_win.cc.patch
+++ b/patches/services-service_manager-sandbox-win-sandbox_win.cc.patch
@@ -1,8 +1,8 @@
diff --git a/services/service_manager/sandbox/win/sandbox_win.cc b/services/service_manager/sandbox/win/sandbox_win.cc
-index b5e74f4588984562f7f3118fc3d057d5dfb5f4fd..c1a25139d51ba913d90e24918ea0a407e37bd68e 100644
+index e57439cdb4d8ccb672dafb4501154e75da77492a..576d96d0df587a512607f524f4a0823febb63b1f 100644
--- a/services/service_manager/sandbox/win/sandbox_win.cc
+++ b/services/service_manager/sandbox/win/sandbox_win.cc
-@@ -865,6 +865,7 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess(
+@@ -867,6 +867,7 @@ sandbox::ResultCode SandboxWin::StartSandboxedProcess(
service_manager::switches::kNoSandbox)) {
base::LaunchOptions options;
options.handles_to_inherit = handles_to_inherit;
diff --git a/patches/tools-metrics-histograms-histograms.xml.patch b/patches/tools-metrics-histograms-histograms.xml.patch
index d2c3eddea54b..73fddf58b552 100644
--- a/patches/tools-metrics-histograms-histograms.xml.patch
+++ b/patches/tools-metrics-histograms-histograms.xml.patch
@@ -1,8 +1,8 @@
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
-index 9078e9835792c43761302d3c6a43b1492ee04994..fddb74f9ae45665f34b3665af41b53a983c3e256 100644
+index 5ff25826967e3104b74413562fec66f45d468311..df098fe8b60b8f6f8c7dae6bddeda404b2e7d8b7 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
-@@ -157391,6 +157391,7 @@ should be kept until we use this API. -->
+@@ -157430,6 +157430,7 @@ should be kept until we use this API. -->
diff --git a/script/signing_helper.py b/script/signing_helper.py
index 24c3023bbc38..46626c754037 100644
--- a/script/signing_helper.py
+++ b/script/signing_helper.py
@@ -9,6 +9,16 @@
import subprocess
import sys
+# Construct path to signing modules in chrome/installer/mac/signing
+signing_path = os.path.realpath(os.path.dirname(os.path.realpath(__file__)))
+signing_path = os.path.realpath(os.path.join(
+ signing_path, os.pardir, os.pardir, "chrome", "installer", "mac"))
+sys.path.append(signing_path)
+
+# Import the entire module to avoid circular dependencies in the functions
+import signing.model # noqa: E402
+import signing.signing # noqa: E402
+
sign_widevine_cert = os.environ.get('SIGN_WIDEVINE_CERT')
sign_widevine_key = os.environ.get('SIGN_WIDEVINE_KEY')
sign_widevine_passwd = os.environ.get('SIGN_WIDEVINE_PASSPHRASE')
@@ -27,8 +37,15 @@ def run_command(args, **kwargs):
subprocess.check_call(args, **kwargs)
-def GenerateWidevineSigFile(paths, config, part):
+def GenerateBraveWidevineSigFile(paths, config, part):
if sign_widevine_key and sign_widevine_key and sign_widevine_passwd and file_exists(sig_generator_path):
+ # Framework needs to be signed before generating Widevine signature
+ # file. The calling script will re-sign it after Widevine signature
+ # file has been added (see signing.py from where this function is
+ # called).
+ from signing.signing import sign_part
+ sign_part(paths, config, part)
+ # Generate signature file
chrome_framework_name = config.app_product + ' Framework'
chrome_framework_version_path = os.path.join(paths.work, part.path, 'Versions', config.version)
sig_source_file = os.path.join(chrome_framework_version_path, chrome_framework_name)
@@ -43,3 +60,48 @@ def GenerateWidevineSigFile(paths, config, part):
run_command(command)
assert file_exists(sig_target_file), 'No sig file'
+
+
+def AddBravePartsForSigning(parts, config):
+ from signing.model import CodeSignedProduct, VerifyOptions
+
+ # Add libs
+ brave_dylibs = (
+ 'libchallenge_bypass_ristretto.dylib',
+ 'libadblock.dylib',
+ )
+ for library in brave_dylibs:
+ library_basename = os.path.basename(library)
+ parts[library_basename] = CodeSignedProduct(
+ '{.framework_dir}/Libraries/{library}'.format(
+ config, library=library),
+ library_basename.replace('.dylib', ''),
+ verify_options=VerifyOptions.DEEP)
+
+ # Add Sparkle
+ parts['sparkle-framework'] = CodeSignedProduct(
+ '{.framework_dir}/Frameworks/Sparkle.framework'.format(config),
+ 'org.sparkle-project.Sparkle',
+ verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
+
+
+def GetBraveSigningConfig(config_class, development):
+ if development:
+ return config_class
+
+ # Retrieve provisioning profile exported by build/mac/sign_app.sh
+ provisioning_profile = os.environ['MAC_PROVISIONING_PROFILE']
+ assert len(provisioning_profile), 'MAC_PROVISIONING_PROFILE is not set'
+
+ class ProvisioningProfileCodeSignConfig(config_class):
+
+ @property
+ def provisioning_profile_basename(self):
+ return os.path.splitext(os.path.basename(
+ provisioning_profile))[0]
+
+ @property
+ def run_spctl_assess(self):
+ return True
+
+ return ProvisioningProfileCodeSignConfig