Filter task filesSrc with !**/*.pem

[thom4parisot]

To prevent dramatic failures.

EDIT: title was before Check for *.pem keys existence

[chrisirhc]

This seems to be done over at https://github.com/oncletom/grunt-crx/blob/master/lib/crx.js#L108-L110 . However, I would also prefer the option to run it without any key specified and have it auto-generated.

There's a few ways to do this:

• Generate the private key when it is not available and from then on, use the key.pem (I think this should work well)
• privateKey can be explicitly set to null and it won't try to look for the existence key.pem
• privateKey must be set explicitly in order for it to use the privateKey available

I believe the first option is what jed/crx does by default.

This is very useful when putting up an extension that is open source since you don't want to share the key file in the repository. What do you think?

[thom4parisot]

Oh yes sure I agree.

This issue is more related to check the existence of *.pem files in public source, to prevent shipping them in the packaged archive (the crx).

I haven't dug in the auto-generation stuff: does autoupdate still work even if the extension is packaged with a different *.pem file? An open source extension should/may be shipped in the Chrome Web Store as the package does not need to be signed (the Store does it for us); and it's better for security/genuine verification.

[chrisirhc]

Ah I see, this is the wrong issue to discuss on this then. Heh.

Regarding the autoupdate, the appid in the updates.xml file is tied to the .pem key file. In the ChromeExtension (jed/crx) the appid is generated from the public key which is generated from the .pem private key file.

So as long as the updates.xml file is generated with the same .pem as the .crx file, the auto updates will work.