I am working on an open source Chrome extension. Should I check in the .pem file to the public repo?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am working on an open source Chrome extension. Should I check in the .pem file to the public repo?
If you are willing to post your app in the Google Chrome Extension Gallery you don’t need a private key or to sign your extension. You just zip your extension folder and upload it there.
Otherwise, if you are planning to host (see external extensions for more details) or distribute it by sharing the packed extension you will need a private key (.pem). The main purpose is to legitimize the origin of the extension. If someone tries to install your application signed with other key it would not be recognized as yours.
In that case, I’d not recommend checking in the .pem file because if your account gets compromised, an attacker can upload or distribute a tampered version of your extension (maybe with malicious code). By doing that, you are not closing the source of your extension by any means. You are only ensuring that you are in complete control of what it gets published (and that your reputation as a publisher of extensions is left intact).