how to sign mini installer of brave and chromium

Question

I have a EV code signing certificate PFX file and password. How do I apply it while brave or chromium mini installer.

brave command to build mini_installer is: npm run create_dist

and chromium forks are build using this: autoninja -C out\Default mini_installer

but they dont create signed installers.

how to generate installer in which all files like chrome.dll and chrome.exe are signed to code signing certificate.

Edit: I tried signing all exe and dll files inside build directory and ran mini_installer command, but them chromium started building all of those 20k files and after that all those files became unsigned again and mini_installer had those unsigned ones

Answer 1

There's no official way to do so. Chromium uses build tools to build chrome.7z which packs those binary files and I think mini_installer too. You will have to sign those files before they are packed as chrome.7z which is packed into mini_installer more info.

You will have to modify this script: https://source.chromium.org/chromium/chromium/src/+/main:chrome/tools/build/win/create_installer_archive.py;l=1?q=create_installer_archive&ss=chromium%2Fchromium%2Fsrc to digitally sign binary files before the installer is built. Go through the script.

You will have to execute Microsoft's signtool to use your certificate and password from there to code sign binary files like chrome.exe, chrome.dll etc before they are packed into chrome.7z archive.

All the relevant changes to make it work as you are intending, is beyond the scope of this site.

Answer 2

Heres my solution in python.

make build, then run this script and then make mini_installer build then run this script again and then build your installer and it including everything inside will be signed.

you need to replace:

C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.19041.0\\x64\\signtool.exe

D:\\Asil\\src\\out\\Component with your build folder

C:\\Users\\user\\Desktop\\asil-certificate\\new-Halalz (2).pfx

PFX_Password

import os
import datetime
import subprocess

def apply_certificate(file_path, pfx_file, password):
    # Command to sign the file with the certificate
    signtool= "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\10.0.19041.0\\x64\\signtool.exe"
    sign_command = f'"{signtool}" sign /f "{pfx_file}" /p "{password}" "{file_path}"'
    print(sign_command)
    # Execute the command
    subprocess.run(sign_command, shell=True)

def main(directory_path, pfx_file, password):
    # Validate if the provided path is a directory
    if not os.path.isdir(directory_path):
        print(f"The specified path '{directory_path}' is not a directory.")
        return

    # Loop through each file in the directory
    for filename in os.listdir(directory_path):
        file_path = os.path.join(directory_path, filename)

        # Check if the file is a DLL or EXE
        if filename.lower().endswith(('.dll', '.exe')):
            # Get the current modified date and time
            current_modified_time = datetime.datetime.fromtimestamp(os.path.getmtime(file_path))

            print(f"File: {filename}")
            print(f"Current Modified Time: {current_modified_time}")

            # Apply EV code signing certificate
            apply_certificate(file_path, pfx_file, password)

            # Set the modified date and time back to what it was before
            os.utime(file_path, (current_modified_time.timestamp(), current_modified_time.timestamp()))

            print("EV Code Signing Certificate Applied.")
            print(f"Modified Time Set to: {current_modified_time}")
            print("")

if _name_ == "_main_":
    # Specify the directory path

    directory_path = "D:\\Asil\\src\\out\\Component"

    # Specify the path to the PFX file and its password
    pfx_file = "C:\\Users\\user\\Desktop\\asil-certificate\\new-Halalz (2).pfx"
    password = "PFX_Password"

    # Call the main function
    main(directory_path, pfx_file, password)