diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 79639a8301bcc871df5439eb88e92b21ab2b3826..f6f4673bfc545763b69dfc0a5be98c4fe689124d 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -245,6 +245,7 @@ ifeq ($(module_run_appcompat),true)
 	$(call appcompat-header, aapt2)
 	$(run-appcompat)
 endif  # module_run_appcompat
+	$(patch-trichrome)
 	$(sign-package)
 	# No need for align-package because sign-package takes care of alignment
 else  # LOCAL_CERTIFICATE == PRESIGNED
diff --git a/core/config.mk b/core/config.mk
index 9f9a564f1ed402d2efd7fcbfea05ad1cedbcdc31..1a6801603a23c30a10a932e860d6c10e66d0d990 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -605,6 +605,8 @@ JETIFIER := prebuilts/sdk/tools/jetifier/jetifier-standalone/bin/jetifier-standa
 
 EXTRACT_KERNEL := build/make/tools/extract_kernel.py
 
+PATCH_TRICHROME := build/make/tools/chromium_trichrome_patcher.py
+
 # Path to tools.jar
 HOST_JDK_TOOLS_JAR := $(ANDROID_JAVA8_HOME)/lib/tools.jar
 
diff --git a/core/definitions.mk b/core/definitions.mk
index c5fe76b60678f374754a125fbceecf4f1af603a9..773ca9465c02b1831d682ed8cefabb2a561d68ec 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -3454,3 +3454,8 @@ define use_soong_sdk_libraries
   $(foreach l,$(1),$(if $(filter $(l),$(SOONG_SDK_VARIANT_MODULES)),\
       $(l).sdk,$(l)))
 endef
+
+# Patch Trichrome to add cert digest at buildtime
+define patch-trichrome
+$(hide) $(PATCH_TRICHROME) $@ $(PRIVATE_CERTIFICATE)
+endef
diff --git a/tools/chromium_trichrome_patcher.py b/tools/chromium_trichrome_patcher.py
new file mode 100755
index 0000000000000000000000000000000000000000..bda96b3fa66cab264936722887573ddaf570a2f1
--- /dev/null
+++ b/tools/chromium_trichrome_patcher.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import sys
+import zipfile
+
+infilename, sign_key = sys.argv[1:]
+
+def ExtractFingerprint(cert):
+    cmd = ['openssl', 'x509', '-sha256', '-fingerprint', '-noout', '-in', cert]
+    proc = subprocess.run(cmd, stdout=subprocess.PIPE)
+    return proc.stdout.decode('utf-8').split('=')[1].replace(':', '')
+
+def patch_trichrome(infilename, sign_key):
+    orig_certdigest = "32a2fc74d731105859e5a85df16d95f102d85b22099b8064c5d8915c61dad1e0"
+    new_certdigest = ExtractFingerprint(sign_key).lower().rstrip()
+
+    with zipfile.ZipFile(infilename, 'r') as zin, zipfile.ZipFile(infilename + ".patched", 'w') as zout:
+        for info in zin.infolist():
+            data = zin.read(info.filename)
+            if info.filename == 'AndroidManifest.xml':
+                # Make sure we can find the certdigest
+                try:
+                    data.rindex(orig_certdigest.encode('utf-16-le'))
+                except:
+                    pass
+                # Replace it
+                data = data.replace(orig_certdigest.encode('utf-16-le'), new_certdigest.encode('utf-16-le'))
+            zout.writestr(info, data)
+
+    # Delete the original file
+    os.remove(infilename)
+
+    # Rename the output file to the original file name
+    os.rename(infilename + ".patched", infilename)
+
+if "Browser_" in infilename or "BrowserWebView_" in infilename:
+    patch_trichrome(infilename, sign_key)