macOS packaging for ungoogled-chromium.
Download binaries from the Contributor Binaries website.
Source Code: It is recommended to use a tag via git checkout
(see building instructions below). You may also use master
, but it is for development and may not be stable.
Ungoogled-Chromium macOS builds are now notarized (signed) with an Apple Developer ID! Notarized builds will be provided at least till the end of our 2024-2025 Apple Developer Program membership year, which ends on September 2025.
The notarized binaries distributed in the ungoogled-software/ungoogled-chromium-macos repository are signed with the Apple Developer ID certificate Developer ID Application: Qian Qian (B9A88FL5XJ)
. You should be able to verify the signature of the binaries after downloading the .dmg
file, extracting the .app
file, and running the following command in Terminal:
spctl -a -vvv -t install path/to/Chromium.app
This output should show something like:
path/to/Chromium.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Qian Qian (B9A88FL5XJ)
that indicates the binary is correctly signed and notarized.
Thanks to the following sponsors for their generous support:
- @pascal-giguere (via GitHub Sponsors)
- @kevingriffin (via GitHub Sponsors)
- BabyFn0rd (via By Me a Coffee)
- dasos (via By Me a Coffee)
- @vinnysaj (via GitHub Sponsors)
These contributions made it possible for us to cover the cost of the Apple Developer Program membership and provide notarized builds of Ungoogled-Chromium macOS. All of these sponsorship contributions are greatly appreciated!
New sponsors are still very welcomed, as I (@Cubik65536, the current maintainer of Ungoogled-Chromium macOS) am still relying on community sponsors to help me cover the cost of the Apple Developer Program fee for future membership years. The progress of the funding for current and next Apple Developer membership year can be tracked on issue #184.
Your support will also greatly encourage and motivate me to continue putting more effort into maintaining and improving Ungoogled-Chromium macOS.
So, please consider sponsoring me through GitHub Sponsors or Buy me a Coffee.
Note that these sponsorship accounts are under the name of Cubik65536
. All sponsor records (i.e. who’s sponsoring) will be public unless you choose to make it private. When sponsoring, you can leave a message specifying that it is for Ungoogled-Chromium, so you will be able to be credited in a sponsor list in the future.
- macOS 10.15+
- Xcode 12
- Homebrew
- Perl (for creating a
.dmg
package) - Node.js
- Install Ninja via Homebrew:
brew install ninja
- Install GNU coreutils (for
greadlink
in packaging script):brew install coreutils
- Install GNU readline:
brew install readline
- Install the data compression tools xz and zlib:
brew install xz zlib
- Unlink binutils to use the one provided with Xcode:
brew unlink binutils
- Install Node.js:
brew install node
- Restart your Terminal
First, ensure the Xcode application is open.
If you want to notarize the build, you need to have an Apple Developer ID and a valid Apple Developer Program membership. You also need to set the following environment variables:
MACOS_CERTIFICATE_NAME
: The Full Name of the Developer ID Certificate you created (typeG2 Sub-CA (Xcode 11.4.1 or later)
) in Apple Developer portal, e.g.: Developer ID Application: Your Name (K1234567)PROD_MACOS_NOTARIZATION_APPLE_ID
: The email you used to register your Apple Account and Apple Developer ProgramPROD_MACOS_NOTARIZATION_TEAM_ID
: Your Apple Developer Team ID, which can be found in the Apple Developer membership pagePROD_MACOS_NOTARIZATION_PWD
: An app-specific password generated in the Apple ID account settings
If you don't have an Apple Developer ID to sign the build (or you don't want to sign it), you can comment the following parts in build.sh
:
# Sign the binary
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier chrome_crashpad_handler --options=restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/chrome_crashpad_handler
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper.app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper.renderer --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-renderer-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Renderer\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-gpu-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(GPU\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.helper.plugin --options restrict,kill,runtime --entitlements $_root_dir/entitlements/helper-plugin-entitlements.plist out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Plugin\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.framework.AlertNotificationService --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/Chromium\ Helper\ \(Alerts\).app
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier app_mode_loader --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/app_mode_loader
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier web_app_shortcut_copier --options restrict,library,runtime,kill out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Helpers/web_app_shortcut_copier
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libEGL out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libEGL.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libGLESv2 out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libGLESv2.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier libvk_swiftshader out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework/Libraries/libvk_swiftshader.dylib
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium.framework out/Default/Chromium.app/Contents/Frameworks/Chromium\ Framework.framework
codesign --sign "$MACOS_CERTIFICATE_NAME" --force --timestamp --identifier io.ungoogled-software.ungoogled-chromium --options restrict,library,runtime,kill --entitlements $_root_dir/entitlements/app-entitlements.plist --requirements '=designated => identifier "io.ungoogled-software.ungoogled-chromium" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */' out/Default/Chromium.app
# Verify the binary signature
codesign --verify --deep --verbose=4 out/Default/Chromium.app
# Pepare app notarization
ditto -c -k --keepParent "out/Default/Chromium.app" "notarize.zip"
# Notarize the app
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
xcrun notarytool submit "notarize.zip" --keychain-profile "notarytool-profile" --wait
xcrun stapler staple "out/Default/Chromium.app"
and uncomment the following part:
# codesign --force --deep --sign - out/Default/Chromium.app
to use ad-hoc signing.
Then, run the following:
git clone --recurse-submodules https://github.com/ungoogled-software/ungoogled-chromium-macos.git
cd ungoogled-chromium-macos
# Replace TAG_OR_BRANCH_HERE with a tag or branch name
git checkout --recurse-submodules TAG_OR_BRANCH_HERE
./build.sh
A .dmg
should appear in build/
NOTE: If the build fails, you must take additional steps before re-running the build:
- If the build fails while downloading the Chromium source code, it can be fixed by removing
build/downloads_cache
and re-running the build instructions. - If the build fails at any other point after downloading, it can be fixed by removing
build/src
and re-running the build instructions.
-
Start the process and set the environment variables
./devutils/update_patches.sh merge bash source devutils/set_quilt_vars.sh
-
Setup Chromium source
mkdir -p build/{src,download_cache} ./retrieve_and_unpack_resource.sh -g -p
-
Update Rust toolchain (if necessary)
- Check the
RUST_VERSION
constant in filesrc/tools/rust/update_rust.py
in build root.- As an example, the revision as of writing this guide is
340bb19fea20fd5f9357bbfac542fad84fc7ea2b
.
- As an example, the revision as of writing this guide is
- Get date for nightly Rust build from Rust's GitHub repository.
- The page URL for our example is
https://github.com/rust-lang/rust/commit/340bb19fea20fd5f9357bbfac542fad84fc7ea2b
- In this case, the corresponding nightly build date is
2024-02-14
. - Adapt the version number in
downloads-arm64.ini
anddownloads-x86_64.ini
accordingly.
- In this case, the corresponding nightly build date is
- The page URL for our example is
- Get the information of the latest nightly build and adapt configurations accordingly.
- Download the latest nightly build from the Rust website.
- For our example, the download URL for Apple Silicon Macs is
https://static.rust-lang.org/dist/2024-02-14/rust-nightly-aarch64-apple-darwin.tar.gz
- For our example, the download URL for Intel Chip Macs is
https://static.rust-lang.org/dist/2024-02-14/rust-nightly-x86_64-apple-darwin.tar.gz
- For our example, the download URL for Apple Silicon Macs is
- Extract the archive.
- Execute
rustc/bin/rustc -V
in the extracted directory to get Rust version string.- For our example, the version string is
rustc 1.78.0-nightly (a84bb95a1 2024-02-13)
.
- For our example, the version string is
- Adapt the content of
retrieve_and_unpack_resource.sh
andpatches/ungoogled-chromium/macos/fix-build-with-rust.patch
accordingly.
- Download the latest nightly build from the Rust website.
- Check the
-
Switch to src directory
cd build/src
-
Use
quilt
to refresh all patches:quilt push -a --refresh
- If an error occurs, go to the next step. Otherwise, skip to Step 7.
-
Use
quilt
to fix the broken patch:- Run
quilt push -f
- Edit the broken files as necessary by adding (
quilt edit ...
orquilt add ...
) or removing (quilt remove ...
) files as necessary- When removing large chunks of code, remove each line instead of using language features to hide or remove the code. This makes the patches less susceptible to breakages when using quilt's refresh command (e.g. quilt refresh updates the line numbers based on the patch context, so it's possible for new but desirable code in the middle of the block comment to be excluded.). It also helps with readability when someone wants to see the changes made based on the patch alone.
- Refresh the patch:
quilt refresh
- Go back to Step 5.
- Run
-
Run
../../ungoogled-chromium/devutils/validate_config.py
-
Run
quilt pop -a
-
Validate that patches are applied correctly
cd ../.. ./ungoogled-chromium/devutils/validate_patches.py -l build/src -s patches/series.merged
-
Remove all patches introduced by ungoogled-chromium:
./devutils/update_patches.sh unmerge
-
Ensure patches/series is formatted correctly, e.g. blank lines
-
Sanity checking for consistency in series file:
./devutils/check_patch_files.sh
-
Use git to add changes and commit
See LICENSE