Sideloaded Chrome extension not showing for managed users - google-chrome

We're making a Chrome extension that will be built specifically for organizations. They will specify it as a force-installed extension.
We've packed the extension with the latest crx3 format and verified that after packaging, we can install the extension in to Chrome by dragging it in to the extensions tab. It installs as expected and I've verified the extension ID is correct.
We have a test enterprise domain with a few chromebooks. We've gone through the process of specifying the custom app, but it's not showing up. I've verified the policy has updated both through the G Suite admin console and in chrome://policy on the users device. When looking at the policies, I see the extension we're force installed listed in the table on chrome://policy, but the extension itself isn't showing up in the extension list.
Is there a good way to debug why a managed extension isn't being installed from the enterprise policy?

After some trial and error, we solved the problem due to a mixup of URLs in the update XML created for versioning.

Related

how to fix CRX_REQUESTED_PROOF_MISSING error

I am creating a website that have a link to download my chrome CRX app to install it on chrome, the problem is whenever I try to download it it's give me an error that says: " Package is invalid: 'CRX_REQUESTED_PROOF_MISSING' ".
How can I fix this problem?
NOTE: my app is working when I install it using developer tools.
My manifest.json:
{"name":"MY_APP_NAME",
"version":"0.0.1",
"manifest_version":2,
"minimum_chrome_version":"37.0.0.0",
"permissions":["webview","power","storage","videoCapture","geolocation","pointerLock","system.display",{"fileSystem":["write","retainEntries","directory"]},"accessibilityFeatures.read","accessibilityFeatures.modify"],"app":{"background":{"scripts":["js/foam.js","js/cab.js","config.js","background_main.js"]}},
"default_locale":"en",
"icons":{"128":"img/128.png"}}
I'm also currently having this issue and trying to find workarounds for it. Unfortunately it seems that due to Chrome's security policy, plugins needs to go through their webstore in order to have the multiple levels of "proof" before chrome will accept it as a legit extension. So far it seems the only way to get it to work is to load it as an unpacked extension, go through the webstore, or force install it via group policy.
Links and refs:
https://developer.chrome.com/apps/external_extensions
https://support.google.com/chrome/a/answer/6306504?hl=en
https://github.com/oncletom/crx/issues/109
According to documentation, Chrome does not allow installing CRX from outside of their store, unless in developer mode or through enterprise policy: https://developer.chrome.com/extensions/hosting_changes, or on Linux (it's mentioned at the beginning of linux_hosting i linked in my previous comment).
So that may be a reason, because in their source, that "proof missing" error is returned only if either public key is missing, or "required key" is missing:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L178
"required key" seems to be their predefined key:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L134
and
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L42
I'm guessing that's the public part of Chrome Web Store key? There's no easy or even "practical" way to create signature that will match their key.
So, either it's the missing Chrome Web Signature key, or something is wrong with how we create signature using developer's key.
How can I distribute my extension if I cannot upload it to the Chrome Web Store for policy reasons?
These changes are effective only on Windows stable and beta channel. Users who want to get extensions that are not hosted on the Chrome Web Store can do so on Chrome dev/canary channels in Windows or on all Chrome channels in other operating systems.
What are the supported deployment options for extensions after this change?
Apart from users installing extensions from the Chrome Web Store, the following deployment options will be supported:
For OSX and Linux, extensions can be installed via a preferences JSON file.
For Windows, extensions can be installed via the Windows registry. In the Windows registry, ensure that the update_url registry key points to the following URL: https://clients2.google.com/service/update2/crx. Local .crx installs via the path registry key are deprecated. Note that this deployment option works only for Chrome Web Store hosted extensions, and update_url cannot point to any other host other than https://clients2.google.com/service/update2/crx.
For Enterprises, we’ll continue to support group policy to install extensions, irrespective of where the extensions are hosted. Note that the user's machine has to join a domain for GPO policy pushes to be effective.

Chrome Extensions won't install when using ExtensionInstallForcelist in HKCU

Here's the deal. We are trying to install some Chrome extensions (version 47+) via GPO. We're putting the ExtensionInstallForcelist under the user configuration, but it's not working. The registry entry shows up, so the GPO works, but Chrome doesn't seem to be reading it to perform the install.
There is a slight catch. We are running Websense Endpoint agent on our systems, which installs its own Chrome extension by adding a registry entry under the ExtensionInstallForcelist in HKLM.
When I look at the Chrome Policies, I see the ExtensionInstallForcelist enabled only for "Machine".
Does Chrome only accept one install list? Either HKLM or HKCU with HKLM being the preferred? At least that's the behavior that I'm seeing.
Any help or information would be appreciated. All of the information that I've found on Chrome Extensions and GPO only list the Machine policy and don't really cover the User policy.
Thank you.
We had the exact same issue as you, with the Websense Endpoint trumping any GPO User level ExtensionInstallForcelist settings we put in place for a custom Chrome Extension.
This was the party line I found from Chromium project regarding who wins in User vs Machine chrome policies:
"Correct. We do not merge policy values, we just use the value read from the highest-priority source."
(Taken from this person who had the same problem:
https://productforums.google.com/forum/#!msg/chrome/wygwLDak6ZQ/NKurhHpdCgAJ )
Observationally, the Machine level is apparently the higher priority source. As such, we moved all the Chrome extensions settings to the Computer Configuration level of the GPO instead, this worked and installed our custom extension and all settings, however, this in turn prevented the Websense Endpoint from making it's ExtensionInstallForcelist registry entries and stopped it loading correctly.
So we ended up adding the Websense Extension details to the machine level GPO ForceInstallList as well:
mkkjioebiampndpmidmadhpmgffdckhe;C:\Program Files\Websense\Websense Endpoint\dlpext.xml
This is obviously not the best approach, as we now need to manage/keep an eye the Websense endpoint deployments via GPO, but it got things working for the subset of machines we needed to install the Chrome extension on.

Programmatically installing a chrome extension to the default profile [duplicate]

I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR

Offline google chrome extensions

Background:
I manage an offline network of workstations.
I have written a chrome extension that needs to be in the browser for our webapp to function
I have published it through the chrome store (but not made it public)
Question:
How do I install this extension without the internet
What I've tried:
Windows GPO: Requires the update URL to be http://clients2.google.com/service/update2/crx
Windows Registry: same URL problem
Unpacked extensions: prompts users, requires developer tools, and disables the extension when chrome is restarted.
install crx: disables the extension when chrome is restarted.
Any other ideas, or ways around this?
Chrome version 48.
I was able to do this on a regular chrome installation by doing the following:
Download the extension in crx format - how to download a crx file from the chrome web store for a given id
Unzip the crx file
I had to rename the _metadata folder to metadata
Open the chrome extensions page
Enable Developer mode
Click "Load unpacked extension..."
Select the unzipped folder
This worked for me when I needed to install Advanced REST client.
I have just:
Downloaded the add-on CRX file using http://crxextractor.com/
Opened the "extensions" page on Chrome.
Drag-and-dropped the CRX file onto the "extensions" page.
I got it to work actually, sadly forgot about this post until now.
I had the Business version installed as #gerardnimo suggested.
What I wound up doing is
1) setup and IIS server to serve both the CRX and the update xml. based on this guide. https://developer.chrome.com/extensions/autoupdate
2) Then i was able to install the extension via group policy.
Here is a thread that I've found. He suggests that you can use Google Chrome for Business.
Since September 3, 2015, Installing Chrome extensions off-line no longer work (and here ) due to Google trying to prevent malicious extensions being downloaded and installed. To install an extension off-line today, require you to install a signed pre-packaged full Chrome install, using Googles Chrome for Business. This functionality is controlled by a policy list. Or according to this post, you can use their Dev or Canary channels to run any extension. Their latest builds can be found here

How to install a Chrome extension programmatically?

I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR