diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 2671956c7af5bb0bee7356adf2b970c219d3a0dc..d7fc5e277036bbcad23b79527b2559d5d8be55cf 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -245,6 +245,7 @@ ifeq ($(module_run_appcompat),true)
 	$(call appcompat-header, aapt2)
 	$(run-appcompat)
 endif  # module_run_appcompat
+	$(patch-trichrome)
 	$(sign-package)
 	# No need for align-package because sign-package takes care of alignment
 else  # LOCAL_CERTIFICATE == PRESIGNED
diff --git a/core/config.mk b/core/config.mk
index 2c0d1ef722d74ea970aa9c4415a04f0e94a20c50..39669f4f036717964a58f3faa0c7528dc8edef8f 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -751,6 +751,8 @@ JETIFIER := prebuilts/sdk/tools/jetifier/jetifier-standalone/bin/jetifier-standa
 
 EXTRACT_KERNEL := build/make/tools/extract_kernel.py
 
+PATCH_TRICHROME := build/make/tools/chromium_trichrome_patcher.py
+
 # Path to tools.jar
 HOST_JDK_TOOLS_JAR := $(ANDROID_JAVA8_HOME)/lib/tools.jar
 
diff --git a/core/definitions.mk b/core/definitions.mk
index ff0906af214a7c505161b49b327961eab8329ecb..883d59495464e46ff8b4ead738549b7727b50c4a 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -4045,3 +4045,8 @@ define use_soong_sdk_libraries
   $(foreach l,$(1),$(if $(filter $(l),$(SOONG_SDK_VARIANT_MODULES)),\
       $(l).sdk,$(l)))
 endef
+
+# Patch Trichrome to add cert digest at buildtime
+define patch-trichrome
+$(hide) $(PATCH_TRICHROME) $@ $(PRIVATE_CERTIFICATE)
+endef
diff --git a/tools/chromium_trichrome_patcher.py b/tools/chromium_trichrome_patcher.py
new file mode 100755
index 0000000000000000000000000000000000000000..5c8964a26aa55b464ce705698cd199815c020802
--- /dev/null
+++ b/tools/chromium_trichrome_patcher.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import os
+import subprocess
+import sys
+import zipfile
+
+infilename, sign_key = sys.argv[1:]
+
+def ExtractFingerprint(cert):
+    cmd = ['openssl', 'x509', '-sha256', '-fingerprint', '-noout', '-in', cert]
+    proc = subprocess.run(cmd, stdout=subprocess.PIPE)
+    return proc.stdout.decode('utf-8').split('=')[1].replace(':', '')
+
+def patch_trichrome(infilename, sign_key):
+    orig_certdigest = "c8a2e9bccf597c2fb6dc66bee293fc13f2fc47ec77bc6b2b0d52c11f51192ab8"
+    new_certdigest = ExtractFingerprint(sign_key).lower().rstrip()
+
+    with zipfile.ZipFile(infilename, 'r') as zin, zipfile.ZipFile(infilename + ".patched", 'w') as zout:
+        for info in zin.infolist():
+            data = zin.read(info.filename)
+            if info.filename == 'AndroidManifest.xml':
+                # Make sure we can find the certdigest
+                try:
+                    data.rindex(orig_certdigest.encode('utf-16-le'))
+                except:
+                    pass
+                # Replace it
+                data = data.replace(orig_certdigest.encode('utf-16-le'), new_certdigest.encode('utf-16-le'))
+            zout.writestr(info, data)
+
+    # Delete the original file
+    os.remove(infilename)
+
+    # Rename the output file to the original file name
+    os.rename(infilename + ".patched", infilename)
+
+if "Browser_" in infilename or "BrowserWebView_" in infilename:
+    patch_trichrome(infilename, sign_key)