Should I sign the Chrome Extension or NPAPI plugin?

Question

I am packing a NPAPI plugin into a Chrome extension.
My doubt here should I code-sign the NPAPI plugin or the Chrome extension?

Answer 1

Part of the process of making the package is that the zip file (this is what a crx is) is signed. See http://developer.chrome.com/extensions/crx.html for more details.

This should mean that the download you get from the store can be verified. It does not mean however that once installed that the contents on the disk have not been modified - crx's are unpacked once they are installed and once unpacked the user could manipulate them. So if you are concerned that the NPAPI could be tampered with once installed then you would have to look in to how to do that.