Open bbondy opened 5 years ago
Could this be applied at the time the download is initiated as currently implemented, or would we store a series of tagged builds in a specific S3 bucket?
I'd imagine we apply it dynamically from some temporary location.
Omaha client already has extra args for referral - const TCHAR* const kExtraArgReferralId = _T("referral");
I think we could use above one when we can use tagging for our referral installer.
Closing as stale - I think what we have works for now (given sunset of referral program). We could re-open this though (just need help prioritizing if so)
Reopening after discussion with @bsclifton
Now we rename files like BraveBrowserSetup-BRV030.exe
, consider to use certificate metadata to embed own tag template into signed binary and replace it on the fly during downloading.
For example here I downloaded and updated BraveBrowserSetup-BRV030.exe
with embedded __brave_tag_id__
.
Screenshot of binary content:
Benefits:
Link to class which implements it https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/tools/certificate_tag.h
I used command line certificate_tag.exe --set-superfluous-cert-tag=__brave_tag_id__ --padded-length=16 --out=out_file.exe BraveBrowserSetup-BRV030.exe
to embed tag on the screenshot. We can patch code for our need it if required to make it easier/simpler. The tag templates later can be replaced by any python/bash/php script on the server.
Attached installer with this tag, gihub asked to wrap it to zip because it doesnt allow to attach executables. Everyone can open it in Notepad++ and see this substring in the binary. BraveBrowserSetup-BRV030.zip
Bumping up to a P3 - we recently did similar work on macOS to use a similar approach to tagging: https://github.com/brave/brave-browser/issues/32316
Currently referral build installers reads its own name to write out the referral code and enable certain features.
We could instead apply a tag without the filename:
Credit Info found by @simonhong