Browser-laptop: When building installer, Widevine signing should be optional
Intro
You can find a brief overview of how packaging takes place for Brave here:
https://github.com/brave/browser-laptop/wiki/Packaging-for-bundles,-installers,-and-updates
In short, there are a few steps:
- remove node modules folder
- redo npm install
- run build-package step (creates a folder with the binaries)
- run build-installer package (creates the .EXE on Windows, .DMG on macOS, or .deb/.rpm on Linux)
Windows and macOS will ALWAYS try to sign for Widevine. However, many folks are likely not setup with this, because the resources needed are proprietary and cannot be distributed. Because of this, the installer will fail
Changes needed
We could check for a new environment variable, perhaps SKIP_WIDEVINE. If present, the tools/buildInstaller.js file should skip the following code block:
https://github.com/brave/browser-laptop/blob/26151c5e0bda4ec739463d730a45be04d779e209/tools/buildInstaller.js#L29-L46
We could also then skip the following steps too:
macOS
https://github.com/brave/browser-laptop/blob/26151c5e0bda4ec739463d730a45be04d779e209/tools/buildInstaller.js#L64-L70
Windows
https://github.com/brave/browser-laptop/blob/26151c5e0bda4ec739463d730a45be04d779e209/tools/buildInstaller.js#L109-L112
This would let folks build an installer without having the information which can not be shared publicly.
Information that can not be shared publicly (which is why this change is needed) includes:
- Values that we set environment variables to on Brave Software build servers
SIGN_WIDEVINE_CERTSIGN_WIDEVINE_KEYSIGN_WIDEVINE_PASSPHRASE
- Files
- The actual Widevine issued cert / private key
- the
tools/signature_generator.pyscript used to generate a Widevine signature file
bsclifton
All 12 comments
Assigning myself, going to try taking a stab at this :)
kjozwiak
on 8 Sep 2017
Does this mean that community users of Brave cannot build browser-laptop atm?
rbutera
on 30 Jan 2018
@Raigasm that is correct
Because we are not sharing this and also not sharing our signing cert, users will never be able to build the final signed binary (same with the Widevine signing). However, they should still be able to create an unsigned build (without widevine).
This is currently not possible because the npm run build-installer task requires the above params. We should expose a new environment variable... maybe SKIP_SIGN_WIDEVINE that skips that part of the script
bsclifton
on 9 Feb 2018
I managed to get it working on my local machine. Was surprisingly
straightforward. Will work on clarifying the documentation to lower the
barrier for entry.
On Fri, 9 Feb 2018 at 22:25, Brian Clifton notifications@github.com wrote:
@Raigasm https://github.com/raigasm that is correct
Because we are not sharing this and also not sharing our signing cert,
users will never be able to build the final signed binary (same with the
Widevine signing). However, they should still be able to create an unsigned
build (without widevine).This is currently not possible because the npm run build-installer task
requires the above params. We should expose a new environment variable...
maybe SKIP_SIGN_WIDEVINE that skips that part of the scriptโ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/brave/browser-laptop/issues/10865#issuecomment-364587111,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFxGPSZhW86HanlMUl0AvyDPx0sR-Yz4ks5tTMXkgaJpZM4PRYlx
.
rbutera
on 10 Feb 2018
@Raigasm awesome- thank you very much ๐ If you wanted to PR a fix for this particular issue too, I'd love to help review for you
bsclifton
on 12 Feb 2018
@bsclifton - has this bug been resolved?, if not, I'd like to try my hand at solving this :)
CSP197
on 1 Jun 2018
@CSP197 it hasn't been resolved yet... but I'd love to review if you want to give it a go ๐ Let me know if you have any questions!
bsclifton
on 1 Jun 2018
@bsclifton I'll give this a go :+1:
CSP197
on 1 Jun 2018
I think that the unsigned exe should make it clear that it is not the original one signed by brave (as tbh, no one reads the UAC prompt, most people just click yes).
devksingh4
on 19 Jun 2018
@andromedastudios1 I think that behavior should already exist. This issue would only affect Widevine signing. If unsigned, Widevine would simply just not work ๐ This is already the case for folks building locally from source. This issue (when solved) would just skip the signing process and let the installer be packaged. When someone installs from that, Netflix won't work (which is fine)
bsclifton
on 19 Jun 2018
Ok thanks for clearing that up!
From: Brian Clifton
Sent: Monday, June 18, 2018 5:55 PM
To: brave/browser-laptop
Cc: Dev Singh; Mention
Subject: Re: [brave/browser-laptop] When building installer, Widevine signingshould be optional (#10865)
@andromedastudios1 I think that behavior should already exist. This issue would only affect Widevine signing. If unsigned, Widevine would simply just not work ๐ This is already the case for folks building locally from source. This issue (when solved) would just skip the signing process and let the installer be packaged
โ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
devksingh4
on 19 Jun 2018
Unfortunately, we won't be able to address this before switching to brave-core
bsclifton
on 26 Aug 2018
Related issues
bsclifton
ยท
3Comments
shortstuffsushi
ยท
3Comments
antiroyalty
ยท
3Comments
bbondy
ยท
3Comments
eljuno
ยท
3Comments