question regarding 'customizing' updater for own software

[miccs]

hello, ive been using omaha3 for quite some time where 'customizing' installer for own software was quite problematic.

so here goes my question whats the 'proper' way to customize omaha4? (app is not a browser)

from what i can see these files would need modification:

src/chrome/updater/app/server/win: (GUIDS)

updater_idl.template

updater_internal_idl.template

updater_legacy_idl.template

BUILD.gn

src/chrome/updater: (app name /urls etc.)

branding.gni

src/chrome/updater/win/ui: (kChromeAppId  - watch for crbug.com/1065588)

progress_wnd.cc

and here ofcourse chrome.bmp to our own (name used in code / etc)

is my thinking correct?

also second question:

whats the status of the installer - is it 'good' idea to use it already? (windows for now - with mac to happen soon) or is it better to stick to omaha3?

[Joshua Pawlicki]

Speaking to the second question, if you already have Omaha 3 working then I would continue with that for now. Google hasn't yet switched from Omaha 3 to Chromium Updater (Omaha 4), and there are still some feature gaps and potential for backwards-incompatible changes in the Chromium Updater codebase.

On the question of customization, that sounds right to me, but others on this list might have more experience with the topic. I'm not sure that the "placeholder" GUIDs need modification, (the build should do that if you modify the branding file - you could double-check that it does), but some of the GUIDs (especially in _legacy and BUILD.gn) are hardcoded and need modification.

--
You received this message because you are subscribed to the Google Groups "Chrome Updates Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chrome-updates-...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chrome-updates-dev/acb5f2d1-42e3-4db0-9da2-045e10d22456n%40chromium.org.

[miccs]

and for the new app (that's about to be released (our next app)) - it should be ready to go? or is it better still to go omaha3 and in some time in the future switch to omaha4?

[Joshua Pawlicki]

I guess were I you, I'd hold off on adopting Omaha 4 until Google (or another major contributor to the project) does. However, as you pointed out, Omaha 3 can be cumbersome to customize and reuse, so you might judge that accepting the risk of a disruptive change in Omaha 4 is worth it.

When it is time to switch to Omaha 4, it should be a drop-in replacement that is backwards-compatible with Omaha 3.

[miccs]

do you have an idea when(approximately) the switch in chrome is planned? from what i can remember omaha4 was supposed to land in Q1 2022 ?

[Joshua Pawlicki]

We are now targeting starting to canary the migration in Q3.

[Joshua Pawlicki]

> can i ask for update on this matter? is it progressing (migration)? are you expecting some more breaking changes?

Yes, we have transitioned a fraction of our users to use the new updater. We are currently monitoring the behavior of the updater compared to a control group, and fixing any issues that we discover. I am hopeful that we will reach 100% deployment before September. I do not anticipate any upcoming breaking changes, and we have deployed to a large enough fraction of the population that backwards compatibility would be a significant concern for any breaking change.

> also i have 'extended' sign.py file that i would like to push upstream - of course if you agree.

Yes, we'd welcome the contribution. (And python 3 is great, thanks!)

> however i never commited anything to google codebase and i dont want to complete every steps that is needed to do so.
> would you be able to upstream it for me?

I sympathize with the sentiment but I think there are reasons for the process that I would not be comfortable skipping.

On Fri, Jul 7, 2023 at 9:37 AM miccs <mic.gs...@gmail.com> wrote:

can i ask for update on this matter? is it progressing (migration)? are you expecting some more breaking changes?

also i have 'extended' sign.py file that i would like to push upstream - of course if you agree.

however i never commited anything to google codebase and i dont want to complete every steps that is needed to do so.

would you be able to upstream it for me? ive added ability to sign files using pfx cert file.

its backward compatible(defaults) - just new cmd line switch present

it is python 3.4 - not sure if you need it lower - i can make it python 2 compatible if needed - give me a msg

the license is anything you want it to be - bsd, public domain or anything that you need to make it upstream.

diff --git a/chrome/updater/win/signing/sign.py b/chrome/updater/win/signing/sign.py
index bb3a7285de..cfabf96bb3 100755
--- a/chrome/updater/win/signing/sign.py
+++ b/chrome/updater/win/signing/sign.py
@@ -20,10 +20,17 @@ import os.path
 import shutil
 import subprocess
 import tempfile
+from enum import IntEnum
+import sys
 
 import resedit
 
 
+class MethodType(IntEnum):
+    Identity = 0
+    CertFile = 1
+
+
 class SigningError(Exception):
     """Module exception class."""
 
@@ -31,13 +38,17 @@ class SigningError(Exception):
 class Signer:
     """A container for a signing operation."""
 
-    def __init__(self, tmpdir, lzma_exe, signtool_exe, tagging_exe, identity):
+    def __init__(self, tmpdir, lzma_exe, signtool_exe, tagging_exe, method,
+                  identity, cert_file, cert_file_pwd):
         """Inits a signer with the necessary tools."""
         self._tmpdir = tmpdir
         self._lzma_exe = lzma_exe
         self._signtool_exe = signtool_exe
         self._tagging_exe = tagging_exe
+        self._method = method
         self._identity = identity
+        self._cert_file = cert_file
+        self._cert_file_pwd = cert_file_pwd
 
     def _add_tagging_cert(self, in_file):
         """Adds the tagging cert. Returns the path to the tagged file."""
@@ -56,9 +67,17 @@ class Signer:
         # Retries may be required: lore states the timestamp server is flaky.
         command = [
             self._signtool_exe, 'sign', '/v', '/tr',
-            'http://timestamp.digicert.com', '/td', 'SHA256', '/fd', 'SHA256',
-            '/s', 'my', '/n', self._identity, in_file
+            'http://timestamp.digicert.com', '/td', 'SHA256'
         ]
+        if self._method == MethodType.CertFile:
+            command.extend([
+                '/fd', 'certHash', '/f', self._cert_file,
+                '/p', self._cert_file_pwd, in_file
+            ])
+        else:  # self._method == MethodType.Identity
+            command.extend([
+                '/fd', 'SHA256', '/s', 'my', '/n', self._identity, in_file
+            ])
         subprocess.run(command, check=True)
 
     def _sign_7z(self, in_file):
@@ -116,14 +135,33 @@ def main():
     parser.add_argument('--certificate_tag',
                         default='.\certificate_tag.exe',
                         help='The path to the certificate_tag executable.')
+    parser.add_argument(
+        '--method',
+        default='identity',
+        help='It can be either system added cert "identity" or "cert_file".')
     parser.add_argument('--identity',
                         default='Google',
                         help='The signing identity to use.')
+    parser.add_argument('--cert_file',
+                        default='',
+                        help='The path to the certificate file(.pfx).')
+    parser.add_argument('--cert_file_password',
+                        default='',
+                        help='The password to the certificate file.')
     args = parser.parse_args()
+    method = MethodType.Identity
+    if args.method == 'identity':
+        method = MethodType.Identity
+    elif args.method == 'cert_file':
+        method = MethodType.CertFile
+    else:
+        sys.exit('invalid method param - check help')
+
     with tempfile.TemporaryDirectory() as tmpdir:
         shutil.move(
             Signer(tmpdir, args.lzma_7z, args.signtool, args.certificate_tag,
-                   args.identity).sign_metainstaller(args.in_file),
+                   method, args.identity, args.cert_file,
+                     args.cert_file_password).sign_metainstaller(args.in_file),
             args.out_file)

[Ganesh S.]

Incidentally, I was adding this functionality in as well, so I think this CL should suffice for your needs: https://chromium-review.googlesource.com/c/chromium/src/+/4678974

[miccs]

yes it does, thanks a lot