Cuyler Stuwe
unread,Sep 11, 2021, 7:45:23 PM9/11/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Chromium Extensions, Clay Smith, Cuyler Stuwe, Chromium Extensions
Since they're used solely to lock the ID of the extension and are generally not visible to untrusted others, I tend to commit these keys along with the codebase. There's no real impersonation risk once you've submitted your extension to the CWS once; It's not as though another extension can be submitted to a different account with the same ID.
As for CI/CD, depends on how you have it set up. 🤷♂️
For any given environment target, I have 3 build modes:
- Unpacked development. This puts the public key in the "key" property of the manifest, in order to lock the extension ID derived from it.
- Initial deploy. This puts the private key in a "key.pem" file in the root of your zipped extension. The CWS will consume this in and derive the extension ID from it.
- Updated deploy. This doesn't put any keys anywhere (historically, the CWS would panic if you included a key file or a key property in the manifest on package updates).
These are my relevant NPM scripts:
"generate-private-key": "2>/dev/null openssl genrsa 2048 | openssl pkcs8 -topk8 -nocrypt -out private-key.pem",
"generate-derived-public-key": "2>/dev/null openssl rsa -in private-key.pem -pubout -outform DER | openssl base64 -A -out public-key-base64.txt",
"generate-key-pair": "npm run generate-private-key && npm run generate-derived-public-key",
"generate-key-pair-if-not-generated": "(shx test -f private-key.pem && shx test -f public-key-base64.txt) || npm run generate-key-pair",
"copy-private-key-to-dist": "cp private-key-upload.pem dist/key.pem"
I have a manifest.js file that I run with Node to generate my manifest.json programmatically, and it starts off like this:
const manifest = {
key: (
process.env.BUILD_ENV === "local-dev"
? localPublicKeyText
: undefined
),
//...