Skip to content

chrome-extensions: fetch pinned versions by default#1529

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
kajusnau:pinned-chrome-extensions
Nov 4, 2025
Merged

chrome-extensions: fetch pinned versions by default#1529
brianmcgillion merged 1 commit intotiiuae:mainfrom
kajusnau:pinned-chrome-extensions

Conversation

@kajusnau
Copy link
Copy Markdown
Collaborator

@kajusnau kajusnau commented Nov 4, 2025
edited
Loading

Description of Changes

  • Default chrome ext fetching source changed to crx4chrome.com for pinned (fixed) versions
  • Added fixedVersion parameter to mkExtension
    defaults to true, but can be overriden to false to use Chrome Web Store as the source instead
  • Added validation to ensure downloaded files contain a valid CRX header (Cr24 or CrX3)

With this change there should be no hash mismatches in the future unless we explicitly update the version of a given extension.
This way we follow the general standard approach of updating nix packages:

  1. Update version number
  2. Regenerate hash
  3. Commit

Downgrading extensions is generally not possible, as chrome will check the update.xml version and update only if the listed version is higher than the already installed extension's version.

  • Forcing a downgrade is possible by wiping the chrome config (for trusted browser this is located on business vm /home/appuser/.config/google-chrome)
    What this essentially means is that our browsers' extensions will never be downgraded unless Ghaf is reinstalled completely, at which point it's just a normal installation rather than a "downgrade" 😃

About crx4chrome.com

Supports downloading extensions either from its own mirror or directly from the Chrome Web Store, with identical file hashes between both sources.
Maintains a long archive of older extension versions, in some cases dating back to 2016–2017, depending on the extension.

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

See description above
TL;DR: Rebuild for extension updates, re-install for downgrades

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

As this is a packaging change, testing requires manually fiddling with our chrome extensions package

Scenario 1 - fetch a known older version of an extension

  1. Open packages/chrome-extensions/default.nix and find the session-buddy at line 112
  2. Change the version field to a known older version, say 4.0.3
  3. Start a build and wait for the hash mismatch to occur
  4. Change the hash to the expected hash listed in the previous build error and rebuild
  5. Boot into Ghaf (if rebuilding, wipe business-vm /home/appuser/.config/google-chrome) and launch Trusted Browser
  6. Verify Session Buddy extension version is 4.0.3

Scenario 2 - update the extension (do Scenario 1 first)

  1. Open packages/chrome-extensions/default.nix and find the session-buddy at line 112
  2. Change the version field to a known newer version, say 4.0.5
  3. Start a rebuild and wait for the hash mismatch to occur
  4. Change the hash to the expected hash listed in the previous build error and rebuild
  5. Boot into Ghaf
  6. Verify Session Buddy extension version is updated to 4.0.5 (chrome checks for updates periodically, so it may not be updated immediately)

Alternative

  1. Declare a new extension with an explicitly outdated version in packages/chrome-extensions/default.nix: 
    ublock-origin = mkExtension {
  name = "ublock-origin";
  id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";
  hash = "";
  version = "1.65.0";
};
  2. Add the extension in modules/reference/appvms/business.nix
  3. Build, fill in the expected hash from the error, and rebuild
  4. Boot into Ghaf and launch trusted browser, verify the extension is installed
  5. Update the extension in packages/chrome-extensions/default.nix to the latest version: 
    ublock-origin = mkExtension {
  ...
  version = "1.67.0";
};
  6. Build, fill in the expected hash from the error, and rebuild
  7. Boot into Ghaf and launch trusted browser, verify the extension version is updated to 1.67.0 (chrome checks for updates periodically, so it may not be updated immediately)

@kajusnau kajusnau self-assigned this Nov 4, 2025
vunnyso
vunnyso reviewed Nov 4, 2025
View reviewed changes
@kajusnau
chrome-extensions: fetch pinned versions by default
a182945 
- use crx4chrome to fetch chrome extensions by default
- added a check to verify fetched file contains a crx header

Signed-off-by: Kajus Naujokaitis <kajus.naujokaitis@unikie.com>
@kajusnau kajusnau force-pushed the pinned-chrome-extensions branch from 0c08a88 to a182945 Compare November 4, 2025 12:36
@brianmcgillion brianmcgillion merged commit 54b9efd into tiiuae:main Nov 4, 2025
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vunnyso vunnyso vunnyso approved these changes

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

Assignees

@kajusnau kajusnau

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kajusnau @vunnyso @brianmcgillion