I've been telling everyone who will listen[1][2][3] that as an extension developer, I'd love to be able to guarantee through the Chrome App Store that an extension matches a git commit (or auditable build pipeline artifact) exactly.
It wouldn't fix everything (for example, you could still put a payload in an innocent-looking dependency), but it would at least fix the blatant problem that a maintainer can add code when uploading an extension even if the extension itself is open source and therefore (appears to be) auditable.
What's the difference between auditing an extension's code on github vs auditing the code from the Chrome store? It seems like anyone who is willing to do an audit can just as easily download the code directly. Sites like Duo's crxcavator [1] also do exactly that.
(1) Practical. Many people look at git repos. No one audits with crxcavator.
(2) Traceability. git has secure hashes, and things can't change when you're not looking.
My experience is that Google cares deeply about its own security, but not much about the security of its users. This sort of change is reasonable, but completely outside of Google's psyche. Google will
(1) Silently disable Android updates, leaving many running exploitable phones
(2) Hold back security tools for Google Apps without a premium subscription. If your account was compromised, you have no way to do audits to understand what happened without $$$, which leads to many more attackers.
(3) Expires Chromebooks rather quickly. Fortunately, unlike Android, it lets users know, but given the target market, many can't afford to upgrade.
(4) Runs appstores full of malware. When malware is discovered, users have no way to know what it did. They're just notified malware existed.
(5) Doesn't allow any sort of reasonable sandboxing of Android apps. If an app asks for filesystem, maps, and other permissions, you need to agree to run the app. I can't have Android give a dummy location or otherwise
Given that the bulk of Google's business model is built on mass surveillance for advertising, with users-as-statistics, this isn't too surprising, but it's something to be aware of if you use Google.
I firmly believe in civil liability for software companies which ship insecure products. They shouldn't be able to externalize costs like this. Follow good security practices, or your insurance premiums go up.
I'm only going to address 1) and 2) since the rest doesn't seem related to Chrome extensions.
1) Again, anyone who is willing to audit extension code can easily download it.
2) Extensions are auto-updating, so under the proposed solution the git hash would simply update with the new (say, backdoored) code. The fact that the extension is tied to a git commit hash has done nothing to protect you.
If an extension is open source, there are usually already some eyes on the GitHub codebase. If an extension version is pinned to a git hash, all those eyes could potentially spot that something is amiss.
It wouldn't fix everything (for example, you could still put a payload in an innocent-looking dependency), but it would at least fix the blatant problem that a maintainer can add code when uploading an extension even if the extension itself is open source and therefore (appears to be) auditable.
[1] https://news.ycombinator.com/item?id=23265699 [2] https://news.ycombinator.com/item?id=16881343 [3] https://news.ycombinator.com/item?id=16317686