crx format specification

1,350 views
Skip to first unread message

Aleksandar Kostadinov

unread,
Nov 19, 2019, 6:50:40 AM11/19/19
to Chromium Extensions
Hello,

I'm reading around trying to figure out chrome extension `.crx` format. The only thing I find is [1] but it does not describe the crx binary format.

I would like to generate a CRX file using Ruby. Is anybody able to point me at CRX binary such specification?

Thank you.

PhistucK

unread,
Nov 19, 2019, 7:16:01 AM11/19/19
to Aleksandar Kostadinov, Chromium Extensions
Not sure there is a specification, but there are at least two reference implementations. One is in Chromium, in C++ and the other one, unofficial and in Python, can be found here -
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/XvddmJZvGIY
Perhaps you can follow the reference implementation to create your own, or port the reference implementation to Ruby.

PhistucK


--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/977b9b99-2bb9-476b-992f-97a3e37bf20c%40chromium.org.

Joshua Pawlicki

unread,
Nov 19, 2019, 9:18:19 AM11/19/19
to Chromium Extensions, akost...@gmail.com

On Tuesday, November 19, 2019 at 4:16:01 AM UTC-8, PhistucK wrote:
Not sure there is a specification, but there are at least two reference implementations. One is in Chromium, in C++ and the other one, unofficial and in Python, can be found here -
Perhaps you can follow the reference implementation to create your own, or port the reference implementation to Ruby.

PhistucK


On Tue, Nov 19, 2019 at 1:50 PM Aleksandar Kostadinov <akost...@gmail.com> wrote:
Hello,

I'm reading around trying to figure out chrome extension `.crx` format. The only thing I find is [1] but it does not describe the crx binary format.

I would like to generate a CRX file using Ruby. Is anybody able to point me at CRX binary such specification?

Thank you.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

Anton Bershanskiy

unread,
Nov 19, 2019, 9:21:13 AM11/19/19
to Chromium Extensions
It is just an archive, I think gzip. I'm away from my computer at the moment, but I remember being able to unpack it with standard tools. On Linux you can use gzip or unzip, on Windows 10 you can just change file name to .zip and double click it.

PhistucK

unread,
Nov 19, 2019, 9:44:06 AM11/19/19
to Anton Bershanskiy, Chromium Extensions
Note that the question is how to generate, not how to unpack. Generating it simply as a ZIP/gzip file is not enough for Chrome to load it, it has to have a very specific header.

PhistucK


On Tue, Nov 19, 2019 at 4:21 PM 'Anton Bershanskiy' via Chromium Extensions <chromium-...@chromium.org> wrote:
It is just an archive, I think gzip. I'm away from my computer at the moment, but I remember being able to unpack it with standard tools. On Linux you can use gzip or unzip, on Windows 10 you can just change file name to .zip and double click it.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/fe027119-ad5e-4f5c-866d-22877a1f84aa%40chromium.org.
Message has been deleted

Aleksandar Kostadinov

unread,
Dec 3, 2019, 6:08:38 PM12/3/19
to Joshua Pawlicki, Chromium Extensions
On Tue, Dec 3, 2019 at 7:09 PM Joshua Pawlicki <waf...@google.com> wrote:
>
> CRX_REQUIRED_PROOF_MISSING is expected, since it will occur in the absence of a Google signature if you try to install the CRX via URL. (That signature is meant to be Google's attestation that the true "owner" of the crx ID uploaded this file.) I think it shouldn't affect Selenium, which I think loads the extension in an "external" context that doesn't have that check.

Thanks for confirmation.

> If you're interested in another implementation's check on the signature itself, I have found https://crx-checker.appspot.com to be helpful.
> In this case you'd be expecting a CRX3 with a single RSASSA-PKCS1-v1_5 signature that is marked with both (Signature OK) and (Developer Signature).

Now this is truly nice! As you suggested, I've got RSASSA-PKCS1-v1_5
signature with (Signature OK) (Developer Signature). So I guess my
implementation is correct!

Thanks a lot again!

Joshua Pawlicki

unread,
Dec 4, 2019, 3:00:31 AM12/4/19
to Aleksandar Kostadinov, Chromium Extensions
CRX_REQUIRED_PROOF_MISSING is expected, since it will occur in the absence of a Google signature if you try to install the CRX via URL. (That signature is meant to be Google's attestation that the true "owner" of the crx ID uploaded this file.) I think it shouldn't affect Selenium, which I think loads the extension in an "external" context that doesn't have that check.

If you're interested in another implementation's check on the signature itself, I have found https://crx-checker.appspot.com to be helpful.
In this case you'd be expecting a CRX3 with a single RSASSA-PKCS1-v1_5 signature that is marked with both (Signature OK) and (Developer Signature).

On Tue, Nov 26, 2019 at 11:00 AM Aleksandar Kostadinov <akost...@gmail.com> wrote:
Thank you all!

I have managed to implement it in Ruby. You can check my blog post [1]. I'm pasting the header generator code as a reference here [2] in case my blog ever goes down or is moved.

Honestly I'm not 100% sure that signature is fully correct. Comparing file size with same extension packed by chrome it is exactly the same size. But both packages fail to load if I type in address bar `/path/to/extension.crx` with the same error `CRX_REQUIRED_PROOF_MISSING`. I read this is expected. What I mostly care about is that it properly loads when running under Selenium.

Please let me know if you spot any issues with that.


  require_relative 'resource/chrome_crx3/crx3.pb.rb'

  def self.header_v3_extension(zipdata, key: nil)
    key ||= OpenSSL::PKey::RSA.generate(2048)

    digest = OpenSSL::Digest.new('sha256')
    signed_data = Crx_file::SignedData.new
    signed_data.crx_id = digest.digest(key.public_key.to_der)[0...16]
    signed_data = signed_data.encode

    signature_data = String.new(encoding: "ASCII-8BIT")
    signature_data << "CRX3 SignedData\00"
    signature_data << [ signed_data.size ].pack("V")
    signature_data << signed_data
    signature_data << zipdata

    signature = key.sign(digest, signature_data)

    proof = Crx_file::AsymmetricKeyProof.new
    proof.public_key = key.public_key.to_der
    proof.signature = signature

    header_struct = Crx_file::CrxFileHeader.new
    header_struct.sha256_with_rsa = [proof]
    header_struct.signed_header_data = signed_data
    header_struct = header_struct.encode

    header = String.new(encoding: "ASCII-8BIT")
    header << "Cr24"
    header << [ 3 ].pack("V") # version
    header << [ header_struct.size ].pack("V")
    header << header_struct

    return header
  end

--
You received this message because you are subscribed to a topic in the Google Groups "Chromium Extensions" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-extensions/K3YIsNL_Et4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/71e4bd3e-f35d-43cf-8a0f-39451aa45115%40chromium.org.
Reply all
Reply to author
Forward
0 new messages