Referral build Windows installer could use tagging instead of special filenames

[bbondy]

Currently referral build installers reads its own name to write out the referral code and enable certain features.

We could instead apply a tag without the filename:

./ApplyTag.exe BraveUpdateSetup.exe BraveBrowserDevSetup.exe "appguid={CB2150F2-595F-4633-891A-E39720CE0531}&appname=Brave-Browser-Dev&needsadmin=prefers&lang=en&ap=dev&promo=23AB"

Credit Info found by @simonhong

[aekeus]

Could this be applied at the time the download is initiated as currently implemented, or would we store a series of tagged builds in a specific S3 bucket?

[bbondy]

I'd imagine we apply it dynamically from some temporary location.

[simonhong]

Omaha client already has extra args for referral - const TCHAR* const kExtraArgReferralId = _T("referral"); I think we could use above one when we can use tagging for our referral installer.

[bsclifton]

Closing as stale - I think what we have works for now (given sunset of referral program). We could re-open this though (just need help prioritizing if so)

[spylogsster]

Reopening after discussion with @bsclifton

Now we rename files like BraveBrowserSetup-BRV030.exe, consider to use certificate metadata to embed own tag template into signed binary and replace it on the fly during downloading. For example here I downloaded and updated BraveBrowserSetup-BRV030.exe with embedded __brave_tag_id__.

Screenshot of binary content:

Benefits:

• It does not depend on the file name
• Tag template can be replaced on the fly during downloading process.
• We can embed info of any size into certificate metadata, this actually what ApplyTag do under the hood, but it hexencodes data before embedding.

Link to class which implements it https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/tools/certificate_tag.h

I used command line certificate_tag.exe --set-superfluous-cert-tag=__brave_tag_id__ --padded-length=16 --out=out_file.exe BraveBrowserSetup-BRV030.exe to embed tag on the screenshot. We can patch code for our need it if required to make it easier/simpler. The tag templates later can be replaced by any python/bash/php script on the server.

Attached installer with this tag, gihub asked to wrap it to zip because it doesnt allow to attach executables. Everyone can open it in Notepad++ and see this substring in the binary. BraveBrowserSetup-BRV030.zip

[bsclifton]

Bumping up to a P3 - we recently did similar work on macOS to use a similar approach to tagging: https://github.com/brave/brave-browser/issues/32316