My company distributes a Chrome extension along with our Windows apps. I have read the Google guidelines on doing so, here, and see that the recommended method of doing so is to publish the extension in the Chrome Web Store, which we have done. Then, during installation, we should place a key in the Windows registry, which will direct Chrome to download the extension from the store the next time it starts up. This all makes sense, and we are planning to use this method.
However, I am told by some of our developers that they are worried about certain scenarios (specifically in countries where access to Google servers may be blocked) where it may not be possible to install the extension this way. Therefore, they have proposed both using this method, and including the .crx file in our installation package. My question is: Will this cause any issues? For users with a normal connection to Google's servers, will they be able to receive the extension as normal?
Will this cause any issues?
As long as "it's useless, because it can't be installed" isn't an issue, then no, no issues including it. /sarcasm
You cannot install CRX files from third-party sources, even manually (and not at all automatically), with the possible exception of enterprise deployment via domain policies.
The only way to install a non-Store extension is as unpacked. This requires manually switching on the Developer mode, selecting the folder, and enduring the scary warning on every Chrome launch.
I'm afraid you'll need to consider excluding such scenarios from your potential market.
How to local install ALL Chrome CRX without any problem:
Chrome saves ALL information in %LocalAppData%\Google.
Install Chrome
Install Chrome .CRX you are needing
Back up %LocalAppData%\Google
Create WinRar to unpack saved profile to: %LocalAppData%
This bypasses the mandatory Chrome store installation.
What are the downsides of this method?
Using this method could overwrite existing user profile data/bookmarks.
Overwriting user saved bookmarks/passwords may cause data loss for user.
What is a possible workaround?
Firefox can use alternate profile, if set to do so via txt in user profile.
If Chrome profile can load alternate profile, locate the string/text responsible for this & edit it to use the new user profile path, then create a WinRar SFX to install to this new location.
This will then enable Chrome SFX installer (Via WinRar SFX) to install a chrome profile with the .CRX extensions desired already installed & not have to mess with pre-existing user data.
What are the downsides to this method?
Users may wonder how to get their old bookmarks/settings to work.
While users will get the new .CRX, it will be starting with essentially a blank profile.
How you can help:
We know we can install any unpacked CRX via SFX install.
We know we can potentially cause Chrome to use alternate profile to avoid corrupting or messing with user data.
We need someone with an idea how to install unpacked CRX without causing a problem in the old user profile.
Things tried so far:
Tried to locate the file(s) responsible for saving installed .CRX settings.
(Make unpacked CRX load & work properly)
Discovered a key file that contained bookmarks/user data also was the same one responsible for ID the CRX & making it load.
This presented a problem, because how is it possible to import this key file in a WinRar SFX installer, without also overwriting the user bookmarks/saved data?
If anyone can figure this part out, we can then use WinRar SFX to unpack CRX into Chrome profile directory, without overwriting/destroying user data.
Alternate method may be to re-route Chrome to use new profile with desired .CRX files already loaded, then cmd-line import the old profile settings/bookmarks/saved passwords.
If this is possible...
Congrats to all who are seeking solutions!
Working together, we can succeed!
Related
I am creating a website that have a link to download my chrome CRX app to install it on chrome, the problem is whenever I try to download it it's give me an error that says: " Package is invalid: 'CRX_REQUESTED_PROOF_MISSING' ".
How can I fix this problem?
NOTE: my app is working when I install it using developer tools.
My manifest.json:
{"name":"MY_APP_NAME",
"version":"0.0.1",
"manifest_version":2,
"minimum_chrome_version":"37.0.0.0",
"permissions":["webview","power","storage","videoCapture","geolocation","pointerLock","system.display",{"fileSystem":["write","retainEntries","directory"]},"accessibilityFeatures.read","accessibilityFeatures.modify"],"app":{"background":{"scripts":["js/foam.js","js/cab.js","config.js","background_main.js"]}},
"default_locale":"en",
"icons":{"128":"img/128.png"}}
I'm also currently having this issue and trying to find workarounds for it. Unfortunately it seems that due to Chrome's security policy, plugins needs to go through their webstore in order to have the multiple levels of "proof" before chrome will accept it as a legit extension. So far it seems the only way to get it to work is to load it as an unpacked extension, go through the webstore, or force install it via group policy.
Links and refs:
https://developer.chrome.com/apps/external_extensions
https://support.google.com/chrome/a/answer/6306504?hl=en
https://github.com/oncletom/crx/issues/109
According to documentation, Chrome does not allow installing CRX from outside of their store, unless in developer mode or through enterprise policy: https://developer.chrome.com/extensions/hosting_changes, or on Linux (it's mentioned at the beginning of linux_hosting i linked in my previous comment).
So that may be a reason, because in their source, that "proof missing" error is returned only if either public key is missing, or "required key" is missing:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L178
"required key" seems to be their predefined key:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L134
and
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L42
I'm guessing that's the public part of Chrome Web Store key? There's no easy or even "practical" way to create signature that will match their key.
So, either it's the missing Chrome Web Signature key, or something is wrong with how we create signature using developer's key.
How can I distribute my extension if I cannot upload it to the Chrome Web Store for policy reasons?
These changes are effective only on Windows stable and beta channel. Users who want to get extensions that are not hosted on the Chrome Web Store can do so on Chrome dev/canary channels in Windows or on all Chrome channels in other operating systems.
What are the supported deployment options for extensions after this change?
Apart from users installing extensions from the Chrome Web Store, the following deployment options will be supported:
For OSX and Linux, extensions can be installed via a preferences JSON file.
For Windows, extensions can be installed via the Windows registry. In the Windows registry, ensure that the update_url registry key points to the following URL: https://clients2.google.com/service/update2/crx. Local .crx installs via the path registry key are deprecated. Note that this deployment option works only for Chrome Web Store hosted extensions, and update_url cannot point to any other host other than https://clients2.google.com/service/update2/crx.
For Enterprises, we’ll continue to support group policy to install extensions, irrespective of where the extensions are hosted. Note that the user's machine has to join a domain for GPO policy pushes to be effective.
I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR
I have my own extension which I want to install without user interaction. I packed it into a .crx file and entered these values in the registry:
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\[ID]
"version"="1.0"
"path"="[crx Path]"
I tried both current user and local machine without success.
This was working before. My extension can be installed by using developer mode and dragging and dropping the crx file into chrome extensions. But I want to install without user interaction.
Is registry installation not allowed anymore?
even though you create a registry entry, Chrome will not use the local crx file for installation.
you need to supply: update_url with string value set to "https://clients2.google.com/service/update2/crx".
Upon chrome launch, Google will fetch the extension from web-store and show notification that'd let user install the extension.
Back in old days you'd side-load extensions. Those days are long gone.
Now you need to publish extension in webstore, and point update_url to store.
There are some exceptions (specifically for enterprise users with group policy settings) as mentioned in comments.
Currently, the only way to install a Chrome extension (while working in development) is to drag it from the desktop onto the browser and click "Add" on the popup window. I would prefer to make the whole process automatic. I currently build, package and sign my CRX programatically, but am stuck with the final manual step. Is this possible?
I tried creating my own URL from which to install the CRX (see here: After adding ExtensionInstallSources preference with my URL to Chrome Preferences, still won't allow installing ".crx" packaged app ) but this did not work.
I want this install to be permanent, not a temporary install that only lasts during the current run..
That's an old question, but you recently updated it, so..
There are no fully automated ways to do it besides Enterprise Policy, which only rarely applies. If that is not an option, you're out of luck. This was a security decision in 2014 by Chrome team, because malware that did that was rampant. Here's a latest post on this topic.
On a Windows machine, the Enterprise Policy force_install is the only no-confirmation one, but it requires a machine in a Windows Domain and admin rights in said domain to enable. I'm not 100% sure how it works on Linux/Mac, but here's a relevant FAQ.
There is a programmatic method of installing extensions, but it now only applies to extensions that are published in CWS (so that Google can pull the plug in case of abuse). It is described here, but will still require a manual approval from the user when the browser starts for the first time after this is added. That's how, for instance, various legitimate bundled extensions like Skype's Click-to-call are installed.
For unpacked extensions, you can run with the command line flag:
<path to chrome> --load-extension=<path to extension directory>
For installing a packaged extension in a .crx file, you can use the "external extensions" mechanism to automatically install from either an autoupdate url or a local path:
https://developer.chrome.com/extensions/external_extensions
Two things of note:
-Because this mechanism is intended mostly for distribution to end-users and not for testing, there is a confirmation dialog that allows the user to opt in to the install.
-We may eventually be deprecating the local path based installs in places where we're enforcing the "must be from the webstore" restriction, and only support the autoupdate url (which must be the webstore update url) approach.
I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR