Unverified Commit 3a8dd041 authored by Emily's avatar Emily Committed by GitHub
Browse files

Merge pull request #310209 from emilylange/chromium-disable-drm-auto-download 

chromium: prevent automatic Widevine DRM download
parents 44dad029 e4f185cf

nixos/doc/manual/release-notes/rl-2405.section.md

+5 −0
Original line number Diff line number Diff line
@@ -459,6 +459,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m 


- `firefox-devedition`, `firefox-beta`, `firefox-esr` executable file names for now match their package names, which is consistent with the `firefox-*-bin` packages. The desktop entries are also updated so that you can have multiple editions of firefox in your app launcher.



- `chromium` and `ungoogled-chromium` had a long stanging issue regarding Widevine DRM handling in nixpkgs fixed.

  `chromium` now no longer automatically downloads Widevine when encountering DRM protected content.

  To be able to play DRM protected content in `chromium` now, you have to explicitly opt-in as originally intended using `chromium.override { enableWideVine = true; }`.

  This override has been added almost 10 years ago.



- switch-to-configuration does not directly call systemd-tmpfiles anymore.

  Instead, the new artificial sysinit-reactivation.target is introduced which

  allows to restart multiple services that are ordered before sysinit.target

pkgs/applications/networking/browsers/chromium/common.nix

+24 −5
Original line number Diff line number Diff line
@@ -241,8 +241,26 @@ let 
      ./patches/cross-compile.patch

      # Optional patch to use SOURCE_DATE_EPOCH in compute_build_timestamp.py (should be upstreamed):

      ./patches/no-build-timestamps.patch

      # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags:

      ./patches/widevine-79.patch

    ] ++ lib.optionals (packageName == "chromium") [

      # This patch is limited to chromium and ungoogled-chromium because electron-source sets

      # enable_widevine to false.

      #

      # The patch disables the automatic Widevine download (component) that happens at runtime

      # completely (~/.config/chromium/WidevineCdm/). This would happen if chromium encounters DRM

      # protected content or when manually opening chrome://components.

      #

      # It also prevents previously downloaded Widevine blobs in that location from being loaded and

      # used at all, while still allowing the use of our -wv wrapper. This is because those old

      # versions are out of out our control and may be vulnerable, given we literally disable their

      # auto updater.

      #

      # bundle_widevine_cdm is available as gn flag, but we cannot use it, as it expects a bunch of

      # files Widevine files at configure/compile phase that we don't have. Changing the value of the

      # BUNDLE_WIDEVINE_CDM build flag does work in the way we want though.

      # We also need enable_widevine_cdm_component to be false. Unfortunately it isn't exposed as gn

      # flag (declare_args) so we simply hardcode it to false.

      ./patches/widevine-disable-auto-download-allow-bundle.patch

    ] ++ [

      # Required to fix the build with a more recent wayland-protocols version

      # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):

      # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
@@ -418,10 +436,11 @@ let 
      # Feature overrides:

      # Native Client support was deprecated in 2020 and support will end in June 2021:

      enable_nacl = false;

      # Enabling the Widevine component here doesn't affect whether we can

      # redistribute the chromium package; the Widevine component is either

      # added later in the wrapped -wv build or downloaded from Google:

    } // lib.optionalAttrs (packageName == "chromium") {

      # Enabling the Widevine here doesn't affect whether we can redistribute the chromium package.

      # Widevine in this drv is a bit more complex than just that. See Widevine patch somewhere above.

      enable_widevine = true;

    } // {

      # Provides the enable-webrtc-pipewire-capturer flag to support Wayland screen capture:

      rtc_use_pipewire = true;

      # Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):

pkgs/applications/networking/browsers/chromium/patches/widevine-79.patchpkgs/applications/networking/browsers/chromium/patches/widevine-disable-auto-download-allow-bundle.patch

+27 −0
Original line number Diff line number Diff line 
diff --git a/third_party/widevine/cdm/BUILD.gn b/third_party/widevine/cdm/BUILD.gn

index ed0e2f5208b..5b431a030d5 100644

index 525693b6c10ab..245491e137d39 100644

--- a/third_party/widevine/cdm/BUILD.gn

+++ b/third_party/widevine/cdm/BUILD.gn

@@ -14,7 +14,7 @@ buildflag_header("buildflags") {

@@ -22,7 +22,7 @@ buildflag_header("buildflags") {

 

   flags = [

     "ENABLE_WIDEVINE=$enable_widevine",

-    "BUNDLE_WIDEVINE_CDM=$bundle_widevine_cdm",

+    "BUNDLE_WIDEVINE_CDM=true",

     "ENABLE_WIDEVINE_CDM_COMPONENT=$enable_widevine_cdm_component",

     "ENABLE_MEDIA_FOUNDATION_WIDEVINE_CDM=$enable_media_foundation_widevine_cdm",

   ]

 }
 
diff --git a/third_party/widevine/cdm/widevine.gni b/third_party/widevine/cdm/widevine.gni

index 58f073ca562ca..4b242c2618dfb 100644

--- a/third_party/widevine/cdm/widevine.gni

+++ b/third_party/widevine/cdm/widevine.gni

@@ -41,8 +41,7 @@ enable_library_widevine_cdm =

 # Widevine CDM can be deployed as a component. Currently only supported on

 # desktop platforms. The CDM can be bundled regardless whether

 # it's a component. See below.

-enable_widevine_cdm_component =

-    enable_library_widevine_cdm && (is_win || is_mac || is_linux || is_chromeos)

+enable_widevine_cdm_component = false

 

 # Enable (Windows) Media Foundation Widevine CDM component.

 declare_args() {