Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: create private key file outside extension directory by default #104

Conversation

ahwayakchih
Copy link
Collaborator

BREAKING CHANGE: if no --private-key is passed, module will look for extension/../key.pem instead of extension/key.pem. It should discourage risky behavior of keeping private key file inside extension's directory (the one that is ZIPped and packed into CRX file).

fixes: #101

BREAKING CHANGE: if no `--private-key` is passed, module will look for `extension/../key.pem` instead of `extension/key.pem`. It should discourage risky behavior of keeping private key file inside extension's directory (the one that is ZIPped and packed into CRX file).

fixes: thom4parisot#101
Copy link
Collaborator

@arkon arkon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really a fan of how the behaviour differs between the CLI and regular Node module, but I guess that can be addressed later as part of something like #61.

@ahwayakchih
Copy link
Collaborator Author

ahwayakchih commented Apr 7, 2019

@arkon i guess it can, but i'm not a fan of separating pack and sign because... i'll write my reasons there :). #61 (comment)

@ahwayakchih ahwayakchih merged commit d54145f into thom4parisot:master Apr 10, 2019
@ahwayakchih ahwayakchih deleted the fix-101-create-pem-outside-directory branch April 10, 2019 16:05
ahwayakchih added a commit to ahwayakchih/crx that referenced this pull request Apr 17, 2019
BREAKING CHANGE introduced by thom4parisot#104
@thom4parisot
Copy link
Owner

In the future, private key could become mandatory by making it explicit, and by reporting an error if it's contained in the paths.

At the moment, they are silently ignored during the packing operation:

https://github.com/oncletom/crx/blob/4135ebf8f3768b26de00e5f03563c43d90fa4da0/src/index.js#L160

@ahwayakchih
Copy link
Collaborator Author

@oncletom Yes, but it's up to dependency to actually ignore those files. I takes just one bug, we can't even quickly fix, and private keys become very public. Of course the same can be said about the code we control, but now it takes two bugs instead of one for private keys to become public ;).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Do not write PEM inside extension's directory
3 participants