plasmo

How to Create a Consistent ID for Your Chrome Extension

Quickstart and a Deep Dive Into the World of Chrome Extension Ids and Ensure Your Extension Has a Consistent One

Stefan Aleksic
Stefan AleksicOctober 12, 2022
cover image for blog

If you're a Chrome extension developer needing to interface with an API expecting a consistent URL, you've likely run into the issue of non-consistent Chrome IDs.

If all you want to do is generate a consistent ID and don't want to know more about the details, you can completely ignore this entire blog post and take these steps:

  1. Go to Plasmo Itero's Generate Keypairs tool
  2. Click Generate KeyPairs
  3. Copy the private key and either discard it or keep it safe.
  4. Take the public key and put it in your manifest.json file in the key field
    1. If you are using the Plasmo framework, store the CRX_ID in an environment variable, then reference it inside the manifest override instead!
  5. Load your extension in Chrome to get its CRX ID

What is a Chrome Extension ID?

Let's have a precise definition and unpack this as we go

A Chrome Extension ID is the first 32 characters of the SHA256 hash of a public key, where characters 0-9a-f are translated to their respective a-p counterparts.

Whew. Okay, let's dig into that!

What is a public key?

First things first, what is a public key? Well, it's a concept from a type of cryptography known as Public Key or Asymmetric Cryptography. For more information about public key cryptography, check out this great YouTube video from Computerphile discussing it.

So how does this relate to Chrome Extensions?

You have a Chrome Extension that you want to send to a friend, but your friend wants to ensure that nobody has tampered with it. How would you send it?

The Chrome team uses digital signatures to accomplish that task. So whenever you package a CRX file, a little header gets added that says "if you hash all the contents in this extension, you'll get this number: XYZ. And you can trust this message because the only person who can create this kind of message is the person with a certain private key tied to this extension's public key."

Since your public key is readily available, skeptics can test the authenticity of the message using your public key and inspect the contents to make sure the hashed values match. Chrome does this every time you load an extension!

Now that we understand how public keys play a role here, let's talk about where they're stored. Public keys are associated with extensions via the "key" field in the manifest.json. There, they are Base64 encoded strings.

Chrome Extension SHA256 Hashing

If it finds the public key in the key field of the manifest.json, it'll decode the Base64 into binary and then get its SHA256 hash. It'll trim the hash to get the first 32 characters of it.

If Chrome doesn't find a key field there, it'll generate a unique ID by looking at the file path of the unpacked extension.

Why does Chrome translate the SHA256 hash?

Now that Chrome has a 32-character SHA256 hash, it needs to do something special. It needs to translate all the characters to avoid numbers. SHA256 hashes are represented as hex, so the alphabet is 0-9 and a-f.

So Chrome will shift the characters to make 0 -> a, 1 -> b, all the way to f -> p. According to a comment in the open-source Chromium code, "We use the characters 'a'-'p' instead of '0'-'f' to avoid ever having a completely numeric host, since some software interprets that as an IP address."

The Chromium team did this so that certain software wouldn't perceive it as an IP address on the off-chance that a generated SHA256 hash only had numbers.

How To Generate Your Own Extension ID

Generating a Key Pair

The first step is to generate a key pair. We've built a tool to make that as easy as possible. All the code is run client-side, and nothing is ever sent to the server.

To get started, head over to the Itero KeyPair Generator tool.

  1. Click on Generate KeyPairs to have Plasmo's Itero tool automatically generate KeyPairs.
  2. Take the private key and either discard it or store it somewhere safe. You will not need it when it comes to local development.
  3. Take the public key and add it to your extension's manifest.json file like so:
1...
2"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsl7qpyCM71FIhlBGBdHP8ZK27hfCQUGgguXMlHT+bjUP3ih0xf3VF4NL6AcAFuNdc8vcTbd0AlE/ZvU9GWP0ExIFN6mgFC8DOgDHO+IFtKhNSX064liSlT1MIKXmCtP1d6LZDclMKF/3so5q0EArww/w0iClEBtOCsL0qWBvXxoWukrEQS3VO+THxfZLEHrIqyzd0z/Ep7qyiM24f6HN+F01OlHSaGy6fUNcf+hSGeIqvkwFpE5l0fVQPoeMEuiLDWLd3JRnRl5m0roZf3jLyUSPynqLPfNWrK/i09zr/a37ObS3J+3tfZYcs4kF1bls41MuiLx8Wps7kXScbeEexwIDAQAB",
3...

We recommend storing this key in an environment variable instead if you are using the Plasmo framework:

  • Add an .env file with CRX_KEY=<key-value>
  • Reference the key in your manifest override:
1"key": "$CRX_KEY"

When you load your extension in Chrome, you should see a new ID. This ID will stay the same no matter what you do with your extension as long as you have that key value in your manifest.json file.

How the Chrome Web Store uses Keys

When you upload to the Chrome Web Store, the store uses its private key to sign your extension and generate an ID. Your ID will differ after downloading your released extension on the web store.

Chrome uses the signature to ensure you can only install extensions from their approved web store. However, if you'd like a web store for your company, building and deploying extensions to your internal testers without going through Chrome, check out Plasmo Itero TestBed - the only staging environment for Browser Extension.

Back to Blog


Thanks for reading! We're Plasmo, a company on a mission to improve browser extension development for everyone. If you're a company looking to level up your browser extension, reach out, or sign up for Itero to get started.