crx2-deprecation

Summary

  • Privately hosted extensions and Chrome Apps that were packaged using a custom script or a version of Chrome prior to Chrome 64.0.3242.0 must be repackaged.

    • If your organization is force-installing privately hosted items packaged in CRX2 format and you don’t repackage them, they’ll stop updating in Chrome 75. Additionally, any new installations of the extension will fail.


Background on Deprecation

  • CRX2 uses SHA1 to secure updates to the extension or app and breaking SHA1 is technically possible, allowing attackers to intercept an extension update and inject arbitrary code into it. CRX3 uses a stronger algorithm, avoiding this risk.

    • For more details on CRX3 please read this Google Doc from the Chromium Product team.

  • Please see the release notes for M68, M69, M70, M71, M72, M73, and M74 if you wish to track the timeline of this change.


Instructions for Repackaging

  • Please see the following article for detailed instructions on how to repackage Chrome apps and extensions into the CRX3 format.

  • If you use an open source library to build extensions please verify CRX3 support with that vendor. In addition you can use https://crx-checker.appspot.com  to check the version of your extension and let your vendor know.

  • If you are unable to repackage or cannot use the CRX3 format, you can enable the ExtensionAllowInsecureUpdates policy.  Note that this is only a temporary workaround, all extensions must move to the CRX3 format!


Future Timeline

  • M76 (July 2019)

    • By default, CRX2 will be disabled and everyone should move to CRX3.

    • As a temporary workaround, ExtensionAllowInsecureUpdates  can be used to re-enable CRX2.

  • M78 (October 2019)

    • The ExtensionAllowInsecureUpdates policy will be removed.

    • Chrome will no longer install or update to extensions packaged with CRX2 format.

    • All extensions must be packaged with CRX3 format.

Comments