pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #310209 from emilylange/chromium-disable-drm-auto-download

chromium: prevent automatic Widevine DRM download

authored by Emily and committed by GitHub 3a8dd041 44dad029

+56 -18
unified split
+5
nixos/doc/manual/release-notes/rl-2405.section.md
··· 459 459 460 460 - `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher. 461 461 462 + - `chromium` and `ungoogled-chromium` had a long stanging issue regarding Widevine DRM handling in nixpkgs fixed. 463 + `chromium` now no longer automatically downloads Widevine when encountering DRM protected content. 464 + To be able to play DRM protected content in `chromium` now, you have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`. 465 + This override has been added almost 10 years ago. 466 + 462 467 - switch-to-configuration does not directly call systemd-tmpfiles anymore. 463 468 Instead, the new artificial sysinit-reactivation.target is introduced which 464 469 allows to restart multiple services that are ordered before sysinit.target
+24 -5
pkgs/applications/networking/browsers/chromium/common.nix
··· 241 241 ./patches/cross-compile.patch 242 242 # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed): 243 243 ./patches/no-build-timestamps.patch 244 - # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags: 245 - ./patches/widevine-79.patch 244 + ] ++ lib.optionals (packageName == "chromium") [ 245 + # This patch is limited to chromium and ungoogled-chromium because electron-source sets 246 + # enable_widevine to false. 247 + # 248 + # The patch disables the automatic Widevine download (component) that happens at runtime 249 + # completely (~/.config/chromium/WidevineCdm/). This would happen if chromium encounters DRM 250 + # protected content or when manually opening chrome://components. 251 + # 252 + # It also prevents previously downloaded Widevine blobs in that location from being loaded and 253 + # used at all, while still allowing the use of our -wv wrapper. This is because those old 254 + # versions are out of out our control and may be vulnerable, given we literally disable their 255 + # auto updater. 256 + # 257 + # bundle_widevine_cdm is available as gn flag, but we cannot use it, as it expects a bunch of 258 + # files Widevine files at configure/compile phase that we don't have. Changing the value of the 259 + # BUNDLE_WIDEVINE_CDM build flag does work in the way we want though. 260 + # We also need enable_widevine_cdm_component to be false. Unfortunately it isn't exposed as gn 261 + # flag (declare_args) so we simply hardcode it to false. 262 + ./patches/widevine-disable-auto-download-allow-bundle.patch 263 + ] ++ [ 246 264 # Required to fix the build with a more recent wayland-protocols version 247 265 # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21): 248 266 # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1 ··· 418 436 # Feature overrides: 419 437 # Native Client support was deprecated in 2020 and support will end in June 2021: 420 438 enable_nacl = false; 421 - # Enabling the Widevine component here doesn't affect whether we can 422 - # redistribute the chromium package; the Widevine component is either 423 - # added later in the wrapped -wv build or downloaded from Google: 439 + } // lib.optionalAttrs (packageName == "chromium") { 440 + # Enabling the Widevine here doesn't affect whether we can redistribute the chromium package. 441 + # Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above. 424 442 enable_widevine = true; 443 + } // { 425 444 # Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture: 426 445 rtc_use_pipewire = true; 427 446 # Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):
-13
pkgs/applications/networking/browsers/chromium/patches/widevine-79.patch
··· 1 - diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn 2 - index ed0e2f5208b..5b431a030d5 100644 3 - --- a/third_party/widevine/cdm/BUILD.gn 4 - +++ b/third_party/widevine/cdm/BUILD.gn 5 - @@ -14,7 +14,7 @@ buildflag_header("buildflags") { 6 - 7 - flags = [ 8 - "ENABLE_WIDEVINE=$enable_widevine", 9 - - "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm", 10 - + "BUNDLE_WIDEVINE_CDM=true", 11 - "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component", 12 - ] 13 - }
+27
pkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch
··· 1 + diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn 2 + index 525693b6c10ab..245491e137d39 100644 3 + --- a/third_party/widevine/cdm/BUILD.gn 4 + +++ b/third_party/widevine/cdm/BUILD.gn 5 + @@ -22,7 +22,7 @@ buildflag_header("buildflags") { 6 + 7 + flags = [ 8 + "ENABLE_WIDEVINE=$enable_widevine", 9 + - "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm", 10 + + "BUNDLE_WIDEVINE_CDM=true", 11 + "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component", 12 + "ENABLE_MEDIA_FOUNDATION_WIDEVINE_CDM=$enable_media_foundation_widevine_cdm", 13 + ] 14 + diff --git a/third_party/widevine/cdm/widevine.gni b/third_party/widevine/cdm/widevine.gni 15 + index 58f073ca562ca..4b242c2618dfb 100644 16 + --- a/third_party/widevine/cdm/widevine.gni 17 + +++ b/third_party/widevine/cdm/widevine.gni 18 + @@ -41,8 +41,7 @@ enable_library_widevine_cdm = 19 + # Widevine CDM can be deployed as a component. Currently only supported on 20 + # desktop platforms. The CDM can be bundled regardless whether 21 + # it's a component. See below. 22 + -enable_widevine_cdm_component = 23 + - enable_library_widevine_cdm && (is_win || is_mac || is_linux || is_chromeos) 24 + +enable_widevine_cdm_component = false 25 + 26 + # Enable (Windows) Media Foundation Widevine CDM component. 27 + declare_args() {