I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR
Related
I am creating a website that have a link to download my chrome CRX app to install it on chrome, the problem is whenever I try to download it it's give me an error that says: " Package is invalid: 'CRX_REQUESTED_PROOF_MISSING' ".
How can I fix this problem?
NOTE: my app is working when I install it using developer tools.
My manifest.json:
{"name":"MY_APP_NAME",
"version":"0.0.1",
"manifest_version":2,
"minimum_chrome_version":"37.0.0.0",
"permissions":["webview","power","storage","videoCapture","geolocation","pointerLock","system.display",{"fileSystem":["write","retainEntries","directory"]},"accessibilityFeatures.read","accessibilityFeatures.modify"],"app":{"background":{"scripts":["js/foam.js","js/cab.js","config.js","background_main.js"]}},
"default_locale":"en",
"icons":{"128":"img/128.png"}}
I'm also currently having this issue and trying to find workarounds for it. Unfortunately it seems that due to Chrome's security policy, plugins needs to go through their webstore in order to have the multiple levels of "proof" before chrome will accept it as a legit extension. So far it seems the only way to get it to work is to load it as an unpacked extension, go through the webstore, or force install it via group policy.
Links and refs:
https://developer.chrome.com/apps/external_extensions
https://support.google.com/chrome/a/answer/6306504?hl=en
https://github.com/oncletom/crx/issues/109
According to documentation, Chrome does not allow installing CRX from outside of their store, unless in developer mode or through enterprise policy: https://developer.chrome.com/extensions/hosting_changes, or on Linux (it's mentioned at the beginning of linux_hosting i linked in my previous comment).
So that may be a reason, because in their source, that "proof missing" error is returned only if either public key is missing, or "required key" is missing:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L178
"required key" seems to be their predefined key:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L134
and
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L42
I'm guessing that's the public part of Chrome Web Store key? There's no easy or even "practical" way to create signature that will match their key.
So, either it's the missing Chrome Web Signature key, or something is wrong with how we create signature using developer's key.
How can I distribute my extension if I cannot upload it to the Chrome Web Store for policy reasons?
These changes are effective only on Windows stable and beta channel. Users who want to get extensions that are not hosted on the Chrome Web Store can do so on Chrome dev/canary channels in Windows or on all Chrome channels in other operating systems.
What are the supported deployment options for extensions after this change?
Apart from users installing extensions from the Chrome Web Store, the following deployment options will be supported:
For OSX and Linux, extensions can be installed via a preferences JSON file.
For Windows, extensions can be installed via the Windows registry. In the Windows registry, ensure that the update_url registry key points to the following URL: https://clients2.google.com/service/update2/crx. Local .crx installs via the path registry key are deprecated. Note that this deployment option works only for Chrome Web Store hosted extensions, and update_url cannot point to any other host other than https://clients2.google.com/service/update2/crx.
For Enterprises, we’ll continue to support group policy to install extensions, irrespective of where the extensions are hosted. Note that the user's machine has to join a domain for GPO policy pushes to be effective.
I have my own extension which I want to install without user interaction. I packed it into a .crx file and entered these values in the registry:
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\[ID]
"version"="1.0"
"path"="[crx Path]"
I tried both current user and local machine without success.
This was working before. My extension can be installed by using developer mode and dragging and dropping the crx file into chrome extensions. But I want to install without user interaction.
Is registry installation not allowed anymore?
even though you create a registry entry, Chrome will not use the local crx file for installation.
you need to supply: update_url with string value set to "https://clients2.google.com/service/update2/crx".
Upon chrome launch, Google will fetch the extension from web-store and show notification that'd let user install the extension.
Back in old days you'd side-load extensions. Those days are long gone.
Now you need to publish extension in webstore, and point update_url to store.
There are some exceptions (specifically for enterprise users with group policy settings) as mentioned in comments.
We built a chrome extension to be used only inside our company by selective people. We do not want to publish this on chrome web store. We could do this before by just drag & drop the crx file in the extensions page.
But in the latest version of chrome(i use 35.x), we are not able to do this anymore. Whenever we try to install the crx file, chrome automatically disables it and shows a message
"This extension is not listed in the Chrome Web Store and may have been added without your knowledge"
with a link to https://support.google.com/chrome/answer/2811969 where it says
"You're seeing this notification because one or more of your Chrome extensions has been turned off to make Chrome safer. The extensions didn't come from the Chrome Web Store or were installed without your permission."
So, Does this mean we can never install crx file from now on? No workaround?
I know we can install using Group Policy method, but is that the only way we can do this?
Thanks in advance.
Yes, this has been disabled as a protection against malware.
The only workarounds I'm aware of are:
turn on Developer Mode and have users install as an unpacked extension after unzipping the CRX
publish unlisted or to a Google Group: https://support.google.com/chrome/a/answer/2663860?hl=en
Currently, the only way to install a Chrome extension (while working in development) is to drag it from the desktop onto the browser and click "Add" on the popup window. I would prefer to make the whole process automatic. I currently build, package and sign my CRX programatically, but am stuck with the final manual step. Is this possible?
I tried creating my own URL from which to install the CRX (see here: After adding ExtensionInstallSources preference with my URL to Chrome Preferences, still won't allow installing ".crx" packaged app ) but this did not work.
I want this install to be permanent, not a temporary install that only lasts during the current run..
That's an old question, but you recently updated it, so..
There are no fully automated ways to do it besides Enterprise Policy, which only rarely applies. If that is not an option, you're out of luck. This was a security decision in 2014 by Chrome team, because malware that did that was rampant. Here's a latest post on this topic.
On a Windows machine, the Enterprise Policy force_install is the only no-confirmation one, but it requires a machine in a Windows Domain and admin rights in said domain to enable. I'm not 100% sure how it works on Linux/Mac, but here's a relevant FAQ.
There is a programmatic method of installing extensions, but it now only applies to extensions that are published in CWS (so that Google can pull the plug in case of abuse). It is described here, but will still require a manual approval from the user when the browser starts for the first time after this is added. That's how, for instance, various legitimate bundled extensions like Skype's Click-to-call are installed.
For unpacked extensions, you can run with the command line flag:
<path to chrome> --load-extension=<path to extension directory>
For installing a packaged extension in a .crx file, you can use the "external extensions" mechanism to automatically install from either an autoupdate url or a local path:
https://developer.chrome.com/extensions/external_extensions
Two things of note:
-Because this mechanism is intended mostly for distribution to end-users and not for testing, there is a confirmation dialog that allows the user to opt in to the install.
-We may eventually be deprecating the local path based installs in places where we're enforcing the "must be from the webstore" restriction, and only support the autoupdate url (which must be the webstore update url) approach.
I've written an extension for Google Chrome that will be released with the next version of our product. I want to understand what properties, paths for extraction, registry entries, etc. should I provide the installer of my product so that the end user doesn't have to install the extension on their own manually, and the installer does the complete job of installing the extension, and also notifies the user that the extension has been installed. As of now, the code that I have written is placed in a folder, and I use the "Load Unpackaged Extension" to load the extension. What should I do to achieve the aforementioned task?
Google's current policy on installing extensions via the registry (for Windows machines) is this:
Only extensions from the Google Extension Gallery (or Chrome Web Store - CWS) can be installed via the registry.
See this link - https://developer.chrome.com/extensions/external_extensions - for information on how this can be done. Keep in mind the following:
-This technique will still pop-up a msgbox to the user. its not completely silent.
-When using this technique, if the user subsequently removes the extension from her Chrome, the extension gets "blacklisted" on that chrome and will not re-auto-install until the user re-install it
manually. refer to Auto-installing a google chrome extension won't work ! for details.
Chrome has a couple ways of installing extensions programmatically:
http://www.chromium.org/administrators/pre-installed-extensions
Edit: yes, this policy has changed by now, as FuzzyAmi points out.
If you're using GNU/Linux, this is how you pre-install an extension from the chrome web store for all users:
/etc/chromium/policies/managed/yourextension_policy.json
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
{
"ExtensionInstallForcelist": [
"yourextensionuniqueidentifiersup;https://clients2.google.com/service/update2/crx",
"yourextensionuniqueidentifiersup"
]
}
Reference
metamask-chrome - AUR