Skip to content

ungoogled-software/ungoogled-chromium-macos

Repository files navigation

ungoogled-chromium-macos

macOS packaging for ungoogled-chromium.

Downloads

Download binaries from the Contributor Binaries website.

Source Code: It is recommended to use a tag via git checkout (see building instructions below). You may also use master, but it is for development and may not be stable.

Announcements

Ungoogled-Chromium macOS builds are now notarized (signed) with an Apple Developer ID! Notarized builds will be provided at least till the end of our 2024-2025 Apple Developer Program membership year, which ends on September 2025.

The notarized binaries distributed in the ungoogled-software/ungoogled-chromium-macos repository are signed with the Apple Developer ID certificate Developer ID Application: Qian Qian (B9A88FL5XJ). You should be able to verify the signature of the binaries after downloading the .dmg file, extracting the .app file, and running the following command in Terminal:

spctl -a -vvv -t install path/to/Chromium.app

This output should show something like:

path/to/Chromium.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Qian Qian (B9A88FL5XJ)

that indicates the binary is correctly signed and notarized.

Sponsorship

Thanks to the following sponsors for their generous support:

  • @pascal-giguere (via GitHub Sponsors)
  • @kevingriffin (via GitHub Sponsors)
  • BabyFn0rd (via By Me a Coffee)
  • dasos (via By Me a Coffee)
  • @vinnysaj (via GitHub Sponsors)

These contributions made it possible for us to cover the cost of the Apple Developer Program membership and provide notarized builds of Ungoogled-Chromium macOS. All of these sponsorship contributions are greatly appreciated!

New sponsors are still very welcomed, as I (@Cubik65536, the current maintainer of Ungoogled-Chromium macOS) am still relying on community sponsors to help me cover the cost of the Apple Developer Program fee for future membership years. The progress of the funding for current and next Apple Developer membership year can be tracked on issue #184.

Your support will also greatly encourage and motivate me to continue putting more effort into maintaining and improving Ungoogled-Chromium macOS.

So, please consider sponsoring me through GitHub Sponsors or Buy me a Coffee.

Note that these sponsorship accounts are under the name of Cubik65536. All sponsor records (i.e. who’s sponsoring) will be public unless you choose to make it private. When sponsoring, you can leave a message specifying that it is for Ungoogled-Chromium, so you will be able to be credited in a sponsor list in the future.

Building

Software requirements

  • macOS 10.15+
  • Xcode 12
  • Homebrew
  • Perl (for creating a .dmg package)
  • Node.js

Setting up the build environment

  1. Install Ninja via Homebrew: brew install ninja
  2. Install GNU coreutils (for greadlink in packaging script): brew install coreutils
  3. Install GNU readline: brew install readline
  4. Install the data compression tools xz and zlib: brew install xz zlib
  5. Unlink binutils to use the one provided with Xcode: brew unlink binutils
  6. Install Node.js: brew install node
  7. Restart your Terminal

Build

First, ensure the Xcode application is open.

If you want to notarize the build, you need to have an Apple Developer ID and a valid Apple Developer Program membership. You also need to set the following environment variables:

  • MACOS_CERTIFICATE_NAME: The Full Name of the Developer ID Certificate you created (type G2 Sub-CA (Xcode 11.4.1 or later)) in Apple Developer portal, e.g.: Developer ID Application: Your Name (K1234567)
  • PROD_MACOS_NOTARIZATION_APPLE_ID: The email you used to register your Apple Account and Apple Developer Program
  • PROD_MACOS_NOTARIZATION_TEAM_ID: Your Apple Developer Team ID, which can be found in the Apple Developer membership page
  • PROD_MACOS_NOTARIZATION_PWD: An app-specific password generated in the Apple ID account settings

If you don't have an Apple Developer ID to sign the build (or you don't want to sign it), you can comment the following parts in build.sh:

# Sign the binary
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier chrome_crashpad_handler --options=restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/chrome_crashpad_handler
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper.app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper.renderer --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-renderer-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Renderer\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-gpu-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(GPU\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper.plugin --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-plugin-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Plugin\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.framework.AlertNotificationService --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Alerts\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier app_mode_loader --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/app_mode_loader
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier web_app_shortcut_copier --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/web_app_shortcut_copier
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libEGL out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libEGL.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libGLESv2 out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libGLESv2.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libvk_swiftshader out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libvk_swiftshader.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.framework out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium --options restrict,library,runtime,kill --entitlements $_root_dir/entitlements/app-entitlements.plist --requirements '=designated => identifier "io.ungoogled-software.ungoogled-chromium" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */' out/Default/Chromium.app

# Verify the binary signature
codesign --verify --deep --verbose=4 out/Default/Chromium.app

# Pepare app notarization
ditto -c -k --keepParent "out/Default/Chromium.app" "notarize.zip"

# Notarize the app
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
xcrun notarytool submit "notarize.zip" --keychain-profile "notarytool-profile" --wait
xcrun stapler staple "out/Default/Chromium.app"

and uncomment the following part:

# codesign --force --deep --sign - out/Default/Chromium.app

to use ad-hoc signing.

Then, run the following:

git clone --recurse-submodules https://github.com/ungoogled-software/ungoogled-chromium-macos.git
cd ungoogled-chromium-macos
# Replace TAG_OR_BRANCH_HERE with a tag or branch name
git checkout --recurse-submodules TAG_OR_BRANCH_HERE
./build.sh

A .dmg should appear in build/

NOTE: If the build fails, you must take additional steps before re-running the build:

  • If the build fails while downloading the Chromium source code, it can be fixed by removing build/downloads_cache and re-running the build instructions.
  • If the build fails at any other point after downloading, it can be fixed by removing build/src and re-running the build instructions.

Developer info

Updating

  1. Start the process and set the environment variables

    ./devutils/update_patches.sh merge
    bash
    source devutils/set_quilt_vars.sh
  2. Setup Chromium source

    mkdir -p build/{src,download_cache}
    ./retrieve_and_unpack_resource.sh -g -p
  3. Update Rust toolchain (if necessary)

    1. Check the RUST_VERSION constant in file src/tools/rust/update_rust.py in build root.
      • As an example, the revision as of writing this guide is 340bb19fea20fd5f9357bbfac542fad84fc7ea2b.
    2. Get date for nightly Rust build from Rust's GitHub repository.
      • The page URL for our example is https://github.com/rust-lang/rust/commit/340bb19fea20fd5f9357bbfac542fad84fc7ea2b
        1. In this case, the corresponding nightly build date is 2024-02-14.
        2. Adapt the version number in downloads-arm64.ini and downloads-x86_64.ini accordingly.
    3. Get the information of the latest nightly build and adapt configurations accordingly.
      1. Download the latest nightly build from the Rust website.
        • For our example, the download URL for Apple Silicon Macs is https://static.rust-lang.org/dist/2024-02-14/rust-nightly-aarch64-apple-darwin.tar.gz
        • For our example, the download URL for Intel Chip Macs is https://static.rust-lang.org/dist/2024-02-14/rust-nightly-x86_64-apple-darwin.tar.gz
      2. Extract the archive.
      3. Execute rustc/bin/rustc -V in the extracted directory to get Rust version string.
        • For our example, the version string is rustc 1.78.0-nightly (a84bb95a1 2024-02-13).
      4. Adapt the content of retrieve_and_unpack_resource.sh and patches/ungoogled-chromium/macos/fix-build-with-rust.patch accordingly.
  4. Switch to src directory

    cd build/src
  5. Use quilt to refresh all patches: quilt push -a --refresh

    • If an error occurs, go to the next step. Otherwise, skip to Step 7.
  6. Use quilt to fix the broken patch:

    1. Run quilt push -f
    2. Edit the broken files as necessary by adding (quilt edit ... or quilt add ...) or removing (quilt remove ...) files as necessary
      • When removing large chunks of code, remove each line instead of using language features to hide or remove the code. This makes the patches less susceptible to breakages when using quilt's refresh command (e.g. quilt refresh updates the line numbers based on the patch context, so it's possible for new but desirable code in the middle of the block comment to be excluded.). It also helps with readability when someone wants to see the changes made based on the patch alone.
    3. Refresh the patch: quilt refresh
    4. Go back to Step 5.
  7. Run ../../ungoogled-chromium/devutils/validate_config.py

  8. Run quilt pop -a

  9. Validate that patches are applied correctly

    cd ../..
    ./ungoogled-chromium/devutils/validate_patches.py -l build/src -s patches/series.merged
  10. Remove all patches introduced by ungoogled-chromium: ./devutils/update_patches.sh unmerge

  11. Ensure patches/series is formatted correctly, e.g. blank lines

  12. Sanity checking for consistency in series file: ./devutils/check_patch_files.sh

  13. Use git to add changes and commit

License

See LICENSE