Enable Widevine VMP on MacOS

VMP is enabled with official build and all below envs are set. SIGN_WIDEVINE_KEY: private key SIGN_WIDEVINE_CERT: widevine cert SIGN_WIDEVINE_PASSPHRASE: pass for key sig generator should be located in //third_party/widevine/scripts/signature_generator.py
brave · Apr 3, 2019 · 6c643e8 · 6c643e8
1 parent ea9ea4e
commit 6c643e8
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 1 deletion.
diff --git a/build/config.gni b/build/config.gni
@@ -28,6 +28,11 @@ declare_args() {
   skip_signing = false
 }
 
+brave_enable_cdm_host_verification = is_official_build &&
+                                     getenv("SIGN_WIDEVINE_CERT") != "" &&
+                                     getenv("SIGN_WIDEVINE_KEY") != "" &&
+                                     getenv("SIGN_WIDEVINE_PASSPHRASE") != ""
+
 if (base_sparkle_update_url == "") {
   base_sparkle_update_url = "https://updates.bravesoftware.com/sparkle/Brave-Browser"
 }

diff --git a/build/mac/BUILD.gn b/build/mac/BUILD.gn
@@ -1,5 +1,7 @@
 import("//brave/build/config.gni")
 import("//build/config/mac/base_rules.gni")
+import("//build/util/version.gni")
+import("//third_party/widevine/cdm/widevine.gni")
 
 declare_args() {
   # find with `security find-identity -v -p codesigning`
@@ -82,6 +84,9 @@ action("create_pkg") {
   ]
 
   deps = [":sign_app"]
+  if (enable_widevine_cdm_host_verification) {
+    deps += [ ":sign_chrome_framework_for_widevine" ]
+  }
 }
 
 action("sign_pkg") {
@@ -177,6 +182,47 @@ action("sign_dmg") {
   deps = [":create_dmg"]
 }
 
+if (enable_widevine_cdm_host_verification) {
+  action("sign_chrome_framework_for_widevine") {
+    script = "//third_party/widevine/scripts/signature_generator.py"
+
+    chrome_framework_name = chrome_product_full_name + " Framework"
+    brave_version_path = "$root_out_dir/$chrome_product_full_name.app/Contents/Versions/$chrome_version_full"
+
+    file = "$brave_version_path/$chrome_framework_name.framework/Versions/Current/$chrome_framework_name"
+    signature_file = "$brave_version_path/Widevine Resources.bundle/Contents/Resources/$chrome_framework_name.sig"
+    flags = 1  # blessed binary
+
+    sources = [
+      "$root_out_dir/$brave_exe"
+    ]
+
+    outputs = [
+      "$signature_file",
+    ]
+
+    args = [
+      "--input_file",
+      rebase_path("$file", root_build_dir),
+      "--output_file",
+      rebase_path("$signature_file", root_build_dir),
+      "--flags",
+      "$flags",
+      "--certificate",
+      getenv("SIGN_WIDEVINE_CERT"),
+      "--private_key",
+      getenv("SIGN_WIDEVINE_KEY"),
+      "--private_key_passphrase",
+      getenv("SIGN_WIDEVINE_PASSPHRASE"),
+    ]
+
+    deps = [
+      ":sign_app",
+      "//brave:chrome_app",
+    ]
+  }
+}
+
 group("create_dist_mac") {
   deps = [ ":create_dmg" ]
 

diff --git a/chromium_src/chrome/common/media/cdm_host_file_path.cc b/chromium_src/chrome/common/media/cdm_host_file_path.cc
@@ -0,0 +1,8 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#define GOOGLE_CHROME_BUILD
+#include "../../../../../chrome/common/media/cdm_host_file_path.cc"  // NOLINT
+#undef GOOGLE_CHROME_BUILD
diff --git a/patches/chrome-BUILD.gn.patch b/patches/chrome-BUILD.gn.patch
@@ -1,5 +1,5 @@
 diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn
-index 3bd3fb2b18fb6309b22d2ffff5b3372afd6e486d..f00997794e6104ac3bfbc2546f333cbc487f8962 100644
+index 3bd3fb2b18fb6309b22d2ffff5b3372afd6e486d..e64e935247607c5ddbb74e4ff760aac3e423dcf6 100644
 --- a/chrome/BUILD.gn
 +++ b/chrome/BUILD.gn
 @@ -191,6 +191,10 @@ if (!is_android && !is_mac) {
@@ -66,6 +66,15 @@ index 3bd3fb2b18fb6309b22d2ffff5b3372afd6e486d..f00997794e6104ac3bfbc2546f333cbc
            "-v",
            rebase_path(chrome_version_file, root_build_dir),
            "-g",
+@@ -1111,7 +1124,7 @@ if (is_win) {
+       bundle_resources_dir = "$bundle_contents_dir/Resources"
+
+       deps = [
+-        ":framework_widevine_signature",
++        #":framework_widevine_signature",
+         ":widevine_resources_plist_bundle_data",
+       ]
+     }
 @@ -1199,6 +1212,7 @@ if (is_win) {
        "//services/service_manager/embedder",
        "//third_party/cld_3/src/src:cld_3",

diff --git a/patches/media-media_options.gni.patch b/patches/media-media_options.gni.patch
@@ -0,0 +1,22 @@
+diff --git a/media/media_options.gni b/media/media_options.gni
+index fbd9f139ebad0c3b8bc7411baf5282df3050f7c0..7dab1cf2e476281571d420a2bc5d03d1c6f93b1d 100644
+--- a/media/media_options.gni
++++ b/media/media_options.gni
+@@ -9,6 +9,7 @@ import("//build/config/jumbo.gni")
+ import("//media/gpu/args.gni")
+ import("//testing/libfuzzer/fuzzer_test.gni")
+ import("//third_party/libaom/options.gni")
++if (brave_chromium_build) { import("//brave/build/config.gni") }
+
+ # Do not expand this list without double-checking with OWNERS, this is a list of
+ # all targets which roll up into the //media component. It controls visibility
+@@ -163,6 +164,9 @@ declare_args() {
+   # Windows and Mac.
+   enable_cdm_host_verification =
+       enable_library_cdms && (is_mac || is_win) && is_chrome_branded
++  if (brave_chromium_build) {
++    enable_cdm_host_verification = brave_enable_cdm_host_verification && enable_library_cdms && (is_mac || is_win)
++  }
+
+   # Enable Storage ID which is used by CDMs. This is only available with chrome
+   # branding, but may be overridden by other embedders.