I'm only going to address 1) and 2) since the rest doesn't seem related to Chrome extensions.
1) Again, anyone who is willing to audit extension code can easily download it.
2) Extensions are auto-updating, so under the proposed solution the git hash would simply update with the new (say, backdoored) code. The fact that the extension is tied to a git commit hash has done nothing to protect you.
1) Again, anyone who is willing to audit extension code can easily download it.
2) Extensions are auto-updating, so under the proposed solution the git hash would simply update with the new (say, backdoored) code. The fact that the extension is tied to a git commit hash has done nothing to protect you.