Chrome 75.x: Package is invalid: 'CRX_REQUIRED_PROOF_MISSING' about crx HOT 14 CLOSED

According to documentation, Chrome does not allow installing CRX from outside of their store, unless in developer mode or through enterprise policy: https://developer.chrome.com/extensions/hosting_changes, or on Linux (it's mentioned at the beginning of linux_hosting i linked in my previous comment).
So that may be a reason, because in their source, that "proof missing" error is returned only if either public key is missing, or "required key" is missing:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L178
"required key" seems to be their predefined key:
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L134
and
https://github.com/chromium/chromium/blob/c48c9b176af94f7ec65e20f21594524526d2a830/components/crx_file/crx_verifier.cc#L42
I'm guessing that's the public part of Chrome Web Store key? There's no easy or even "practical" way to create signature that will match their key.
So, either it's the missing Chrome Web Signature key, or something is wrong with how we create signature using developer's key.

from crx.

When i drag&dropped tiny test CRX onto Chrome's window (onto default new tab) i got the same error.
When i drag&dropped it onto a tab opened on chrome://extensions/ (with "Developer mode" enabled) it worked OK. Without "Developer mode" switch enabled, i got the same error.

@eladnava @realjax can you check that too?

from crx.

Hi @ahwayakchih,
Thanks for your help.

Chrome used to allow downloading CRX files via HTTP file download (using application/x-chrome-extension mime-type), even outside Chrome Web Store.

Chrome 75 broke that, but .crx files can still be downloaded, just the Content-type header needs to be changed by the server sending the .crx file:

Content-type: application/x-chrome-extension

This is the workaround we used, we can close this issue.

from crx.

Found a workaround, sending a different Content-type but still saving the file with the .crx extension:

Content-type: application/octet-stream
Content-disposition: attachment; filename=something.crx
<-- crx file -->

from crx.

Not sure about Windows 10 , but on my Work pc ( MacOs Mojave) I still get this:

from crx.

@realjax Are you trying to generate a new extension here?
https://applicationize.me/now

It works for me now on Chrome 75 using the workaround above.

from crx.

@eladnava, @realjax according to documentation about linux hosting, extension has to specify update_url in its manifest.json file. That URL has to respond with XML file/data: https://developer.chrome.com/extensions/linux_hosting#update_url

from crx.

Hey guys, I'm receiving this issue with the same version of chrome but not when downloading a CRX file. I pack my extension via Chrome's "Pack Extension" button on the extensions page. When I double click the crx file I just create, it gives me the error CRX_REQUIRED_PROOF_MISSING.

I'm in developer mode, and could use some advice. The end goal is to load the extension into a Selenium automated browser. Even though I'm loading the extension into Selenium, it's not appearing and I believe this is the cause. Any thoughts?

from crx.

@stephenarifin According to documentation, Chrome on Windows blocks installing CRX if it's not from their web store. But you may still work around that using policies (look for "chrome policy force_install") and webserver that serves both CRX and XML files.
Or test using data from ZIP file instead of full CRX file (look for "Testing Chrome Extensions with Selenium" article from 28th of January 2019) - but i did not test that, so i don't know if that works with latest Chrome.
Or test on Linux - documentation mentions that it's allowed to install CRX on Linux (or maybe on Windows too, but using Chromium instead of Chrome?), if it is served with proper headers.

from crx.

@ahwayakchih, thanks for the response. To be clear, I'm actually using MacOS and not installing the extension from a web server. This is a local dev copy of an extension i'm developing.

from crx.

@stephenarifin what happens when you go to chrome://extensions page, switch developer mode on and drag and drop CRX file into the window?

Here, on Linux with Chromium, i get confirmation dialog, click "Add extension" and it installs OK.
But when i drag & drop CRX file on some other page, it shows CRX_REQUIRED_PROOF_MISSING error, even after i click "continue" on warning dialog.

But it should be possible to force_install it through policy file created in correct directory. After starting the browser, extension should already be installed.

Check this for Mac:

• https://support.google.com/chrome/a/answer/7517624?hl=en&ref_topic=9023246
• https://www.chromium.org/administrators/mac-quick-start

from crx.

@ahwayakchih, if I drag and drop the CRX file into the extension window, I get the confirmation dialog and installs correctly. However, if I double click the CRX file, I get the CRX_REQUIRED_PROOF_MISSING error. If I drag and drop the CRX on another page that isn't extensions, nothing happens.

from crx.

@stephenarifin OK, so for checking manually if CRX file works, you can still install it through extensions window. CRX_REQUIRED_PROOF_MISSING error is about missing signature from Chrome's web store AFAIK, so if it installs through extensions window, file is valid, just unsigned.

To test if extension works after it's installed, you may try using ZIP file or a path to extension's directory (the one with sources, manifest.json file, etc...). It works with Puppeteer, so maybe it will also work with Selenium (sorry, i don't use Selenium, so i can't be sure).

To automate testing if CRX file is valid, without emulating user interaction, use policy file - it won't install CRX file that is somehow invalid. I'm currently working on setting that up with Docker and Alpine Linux.

As for allowing end-users to install it... i don't know. If you can control environment, e.g., you work in corporate IT, you can use policy files and internal web server. Otherwise, if you do not want to distribute extension through Google's web store... AFAIK the only way is to ask users to go to extensions page and install CRX there (unless you find Google's private key).

from crx.

@stephenarifin check these:

1. Configuring policy files on Mac: https://www.chromium.org/administrators/configuring-policy-for-extensions#TOC-Mac
2. Enabling installing CRX from custom URLs: https://www.chromium.org/administrators/policy-list-3#ExtensionInstallSources

So, for Mac, to enable installing local CRX files, plist file could be like (not tested!):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.google.Chrome.ExtensionInstallSources</key>
    <array>
      <string>file:///*</string>
    </array>
  </dict>
</plist>

I just tested that on Linux (using JSON policy file at /etc/chromium/policies/managed/test_policy.json), and it worked OK: i got confirmation dialog, just like the one on the extensions page in developer mode, clicked "Add extension" and got extension installed.

from crx.