From 8c8831e2a1e4efd1d1cb2fd204343155c1f9928e Mon Sep 17 00:00:00 2001
From: Simon Hong <shong@igalia.com>
Date: Wed, 31 Jul 2019 22:29:57 +0900
Subject: [PATCH] Fix widevine loading failure due to different TeamID

Set disable-library-validation entitlements for helper-app that
loads widevine library.
---
 app/helper-entitlements.plist                  |  8 ++++++++
 build/mac/BUILD.gn                             | 15 ++++++++++++++-
 ...rome-installer-mac-signing-signing.py.patch | 18 ++++--------------
 script/signing_helper.py                       |  6 +++++-
 4 files changed, 31 insertions(+), 16 deletions(-)
 create mode 100644 app/helper-entitlements.plist

diff --git a/app/helper-entitlements.plist b/app/helper-entitlements.plist
new file mode 100644
index 000000000000..8cc185af8d78
--- /dev/null
+++ b/app/helper-entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>
diff --git a/build/mac/BUILD.gn b/build/mac/BUILD.gn
index 356771860e19..f95d6ab9ccde 100644
--- a/build/mac/BUILD.gn
+++ b/build/mac/BUILD.gn
@@ -114,7 +114,8 @@ if (skip_signing) {
 
     deps = [
       "//brave:chrome_app",
-      "//chrome/installer/mac"
+      "//chrome/installer/mac",
+      ":copies",
     ]
 
     if (is_official_build) {
@@ -152,6 +153,18 @@ if (skip_signing) {
     ]
   }
 
+  copy("copies") {
+    visibility = [ ":sign_app" ]
+
+    sources = [
+      "//brave/app/helper-entitlements.plist",
+    ]
+
+    outputs = [
+      "$packaging_dir/{{source_file_part}}"
+    ]
+  }
+
   action("create_pkg") {
     script = "//build/gn_run_binary.py"
     shell_script = "//brave/build/mac/create_pkg.sh"
diff --git a/patches/chrome-installer-mac-signing-signing.py.patch b/patches/chrome-installer-mac-signing-signing.py.patch
index 646780a9f50e..793fb63f791a 100644
--- a/patches/chrome-installer-mac-signing-signing.py.patch
+++ b/patches/chrome-installer-mac-signing-signing.py.patch
@@ -1,5 +1,5 @@
 diff --git a/chrome/installer/mac/signing/signing.py b/chrome/installer/mac/signing/signing.py
-index 9a425e757229484755a2f656f8a7758c7538b676..17bd52c0c0bd0f7cc1abc405bfd24d05fa6a592a 100644
+index 9a425e757229484755a2f656f8a7758c7538b676..af54f97b7e3913f0846750bcdcd591679722e953 100644
 --- a/chrome/installer/mac/signing/signing.py
 +++ b/chrome/installer/mac/signing/signing.py
 @@ -11,6 +11,7 @@ import os.path
@@ -10,17 +10,7 @@ index 9a425e757229484755a2f656f8a7758c7538b676..17bd52c0c0bd0f7cc1abc405bfd24d05
  
  _PROVISIONPROFILE_EXT = '.provisionprofile'
  _PROVISIONPROFILE_DEST = 'embedded.provisionprofile'
-@@ -76,7 +77,8 @@ def get_parts(config):
-                 '{0.framework_dir}/Helpers/{0.product} Helper.app'.format(
-                     config),
-                 '{}.helper'.format(uncustomized_bundle_id),
--                options=full_hardened_runtime_options,
-+                options=CodeSignOptions.RESTRICT + CodeSignOptions.KILL +
-+                CodeSignOptions.HARDENED_RUNTIME,
-                 verify_options=VerifyOptions.DEEP),
-         'helper-renderer-app':
-             CodeSignedProduct(
-@@ -136,6 +138,7 @@ def get_parts(config):
+@@ -136,6 +137,7 @@ def get_parts(config):
              library_basename.replace('.dylib', ''),
              verify_options=VerifyOptions.DEEP)
  
@@ -28,7 +18,7 @@ index 9a425e757229484755a2f656f8a7758c7538b676..17bd52c0c0bd0f7cc1abc405bfd24d05
      return parts
  
  
-@@ -180,7 +183,7 @@ def sign_part(paths, config, part):
+@@ -180,7 +182,7 @@ def sign_part(paths, config, part):
          part: The |model.CodeSignedProduct| to sign. The product's |path| must
              be in |paths.work|.
      """
@@ -37,7 +27,7 @@ index 9a425e757229484755a2f656f8a7758c7538b676..17bd52c0c0bd0f7cc1abc405bfd24d05
      if config.notary_user:
          # Assume if the config has notary authentication information that the
          # products will be notarized, which requires a secure timestamp.
-@@ -272,6 +275,7 @@ def sign_chrome(paths, config, sign_framework=False):
+@@ -272,6 +274,7 @@ def sign_chrome(paths, config, sign_framework=False):
                  continue
              sign_part(paths, config, part)
  
diff --git a/script/signing_helper.py b/script/signing_helper.py
index 46626c754037..80d4b30be265 100644
--- a/script/signing_helper.py
+++ b/script/signing_helper.py
@@ -63,7 +63,7 @@ def GenerateBraveWidevineSigFile(paths, config, part):
 
 
 def AddBravePartsForSigning(parts, config):
-    from signing.model import CodeSignedProduct, VerifyOptions
+    from signing.model import CodeSignedProduct, VerifyOptions, CodeSignOptions
 
     # Add libs
     brave_dylibs = (
@@ -84,6 +84,10 @@ def AddBravePartsForSigning(parts, config):
         'org.sparkle-project.Sparkle',
         verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
 
+    # Overwrite to avoid TeamID mismatch with widevine dylib.
+    parts['helper-app'].entitlements = 'helper-entitlements.plist'
+    parts['helper-app'].options = CodeSignOptions.RESTRICT + CodeSignOptions.KILL + CodeSignOptions.HARDENED_RUNTIME
+
 
 def GetBraveSigningConfig(config_class, development):
     if development: