diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index ab574b3fa4e9c6f0b59d40d07e8415f5dc4f35c8..238d3e79252352bde1bb72dfc9503f0e5ddc94a1 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -245,6 +245,7 @@ ifeq ($(module_run_appcompat),true)
 	$(call appcompat-header, aapt2)
 	$(run-appcompat)
 endif  # module_run_appcompat
+	$(patch-trichrome)
 	$(sign-package)
 	# No need for align-package because sign-package takes care of alignment
 else  # LOCAL_CERTIFICATE == PRESIGNED
diff --git a/core/config.mk b/core/config.mk
index c9efa116fc96657657b87ad3e155ef7738d6b026..a27d842881ce483ce906c6454f2a0f116aa6a9e3 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -669,6 +669,8 @@ JETIFIER := prebuilts/sdk/tools/jetifier/jetifier-standalone/bin/jetifier-standa
 
 EXTRACT_KERNEL := build/make/tools/extract_kernel.py
 
+PATCH_TRICHROME := build/make/tools/chromium_trichrome_patcher.py
+
 # Path to tools.jar
 HOST_JDK_TOOLS_JAR := $(ANDROID_JAVA8_HOME)/lib/tools.jar
 
diff --git a/core/definitions.mk b/core/definitions.mk
index 89c2e276a37aeda1d54cbbc6502f3f82f91e0a73..c6af6df9cbe41d9580d75815aa885683397a67b2 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -3342,3 +3342,8 @@ define use_soong_sdk_libraries
   $(foreach l,$(1),$(if $(filter $(l),$(SOONG_SDK_VARIANT_MODULES)),\
       $(l).sdk,$(l)))
 endef
+
+# Patch Trichrome to add cert digest at buildtime
+define patch-trichrome
+$(hide) $(PATCH_TRICHROME) $@ $(PRIVATE_CERTIFICATE)
+endef
diff --git a/tools/chromium_trichrome_patcher.py b/tools/chromium_trichrome_patcher.py
new file mode 100755
index 0000000000000000000000000000000000000000..bda96b3fa66cab264936722887573ddaf570a2f1
--- /dev/null
+++ b/tools/chromium_trichrome_patcher.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import sys
+import zipfile
+
+infilename, sign_key = sys.argv[1:]
+
+def ExtractFingerprint(cert):
+    cmd = ['openssl', 'x509', '-sha256', '-fingerprint', '-noout', '-in', cert]
+    proc = subprocess.run(cmd, stdout=subprocess.PIPE)
+    return proc.stdout.decode('utf-8').split('=')[1].replace(':', '')
+
+def patch_trichrome(infilename, sign_key):
+    orig_certdigest = "32a2fc74d731105859e5a85df16d95f102d85b22099b8064c5d8915c61dad1e0"
+    new_certdigest = ExtractFingerprint(sign_key).lower().rstrip()
+
+    with zipfile.ZipFile(infilename, 'r') as zin, zipfile.ZipFile(infilename + ".patched", 'w') as zout:
+        for info in zin.infolist():
+            data = zin.read(info.filename)
+            if info.filename == 'AndroidManifest.xml':
+                # Make sure we can find the certdigest
+                try:
+                    data.rindex(orig_certdigest.encode('utf-16-le'))
+                except:
+                    pass
+                # Replace it
+                data = data.replace(orig_certdigest.encode('utf-16-le'), new_certdigest.encode('utf-16-le'))
+            zout.writestr(info, data)
+
+    # Delete the original file
+    os.remove(infilename)
+
+    # Rename the output file to the original file name
+    os.rename(infilename + ".patched", infilename)
+
+if "Browser_" in infilename or "BrowserWebView_" in infilename:
+    patch_trichrome(infilename, sign_key)