Published: May 7, 2025
Starting May 7th 2025, you can opt-in to requiring future uploads to the Chrome Web Store to be signed with a trusted private key. Doing so can help ensure only you can upload new releases, even if your account or publishing workflow is compromised.
How signing works without the private key
All extensions in the Chrome Web Store are signed by Google. However, this key is managed by the Chrome Web Store and the signing happens automatically when a new package is uploaded. This means anyone with access to your Developer Dashboard can upload a package for signing and publication.
What's changing?
You can now opt-in to provide the Chrome Web Store with an RSA public key to use to verify future uploads. Any uploads not signed by this public key will be rejected, providing an additional layer of security.
If an upload passes this verification, it will be automatically repackaged with the existing private key before publication. This ensures the extension keeps the same ID and means it will be signed with a key trusted by Chrome.
If you don't opt-in, your uploads will continue to be signed by Google.
How to opt-in
In the Developer Dashboard, navigate to the Package tab for your item and click the Opt in button. You'll be prompted to provide a public key:
Learn more about how to generate and store a supported key in the Chrome Web Store documentation.
More information
For more information, see our updated documentation. Questions can be posted to the chromium-extensions mailing list.