OSS Chrome Extension - Should I check-in pem file?

I am working on an open source Chrome extension. Should I check in the .pem file to the p开发者_StackOverflow社区ublic repo?

If you are willing to post your app in the Google Chrome Extension Gallery you don't need a private key or to sign your extension. You just zip your extension folder and upload it there.

Otherwise, if you are planning to host (see external extensions for more details) or distribute it by sharing the packed extension you will need a private key (.pem). The main purpose is to legitimize the origin of the extension. If someone tries to install your application signed with other key it would not be recognized as yours.

In that case, I'd not recommend checking in the .pem file because if your account gets compromised, an attacker can upload or distribute a tampered version of your extension (maybe with malicious code). By doing that, you are not closing the source of your extension by any means. You are only ensuring that you are in complete control of what it gets published (and that your reputation as a publisher of extensions is left intact).

A possible problem occurs when you want to create an extension with a public API for other extensions to use. Since the Chrome's messaging API uses the id of the extension to route the message to the destination, and the id is based on the key of the extension, other people won't be able to create derivative extensions that are compatible.

I think Google's engineers simply didn't consider the possibility that people might want to write open source extensions. I have notified Google of the issue, but for the moment http://code.google.com/chrome/extensions/packaging.html doesn't seem to contain any extra guidance.