Installing Chrome Natively

I have the need to install Chrome via rpm-ostree (in my use-case, a flatpak install isn’t an option).

Has anyone been able to install the native version, as even adding the .repo and building has not worked successfully for me (even ensuring the dependencies were pre-installed).

If so, please give the method (Containerfile, etc) used.

Thank you!

What error do you get when trying the repo file?

I can’t speak for @arenas93 , but I have been hacking at this for a little while.

When I fix the existing google-chrome.repo in the silverblue image and add google-chrome-stable to the list of packages to add, I get this error:

Installing 2 packages:
  google-chrome-stable-124.0.6367.91-1.x86_64 (google-chrome)
  liberation-fonts-1:2.1.5-9.fc40.noarch (fedora)
error: package google-chrome-stable-124.0.6367.91-1.x86_64 cannot be verified and repo google-chrome is GPG enabled: /var/cache/rpm-ostree/repomd/google-chrome-40-x86_64/packages/google-chrome-stable-124.0.6367.91-1.x86_64.rpm could not be verified.
/var/cache/rpm-ostree/repomd/google-chrome-40-x86_64/packages/google-chrome-stable-124.0.6367.91-1.x86_64.rpm:  digest:  SIGNATURE:  NOT OK

Hmm. That smells like that RPM bug I find when I google “Install Chrome in Silverblue”. So let’s try the workaround, since we’re in a container and can do that! Run this script before rpm-ostree does:

# First, delete all old keys; see
GOOGLE_PUBKEYS_RPMS=$(rpm -qa gpg-pubkey* --qf '%{NAME}-%{VERSION}-%{RELEASE} %{PACKAGER}\n' | grep '' | sed 's/ .*$//' | xargs rpm -e)
if [ -n $GOOGLE_PUBKEYS_RPMS ]; then
    echo "Removing pakcages $GOOGLE_PUBKEYS_RPMS"
echo "Downloading Google Signing Key"
curl > /tmp/

rpm --import /tmp/

Here’s what rpm-ostree says:

Installing: google-chrome-stable
Enabled rpm-md repositories: code google-chrome rpmfusion-free-updates-testing rpmfusion-free-updates rpmfusion-free rpmfusion-nonfree-updates-testing rpmfusion-nonfree-updates rpmfusion-nonfree fedora-cisco-openh264 fedora updates updates-archive
Importing rpm-md...done
rpm-md repo 'code' (cached); generated: 2024-04-26T03:16:40Z solvables: 413
rpm-md repo 'google-chrome' (cached); generated: 2024-04-26T17:08:26Z solvables: 3
rpm-md repo '' (cached); generated: 2024-04-26T05:31:03Z solvables: 216
rpm-md repo 'rpmfusion-free-updates-testing' (cached); generated: 2024-04-26T21:26:11Z solvables: 9
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2024-04-26T21:25:38Z solvables: 18
rpm-md repo 'rpmfusion-free' (cached); generated: 2024-04-20T12:11:51Z solvables: 422
rpm-md repo 'rpmfusion-nonfree-updates-testing' (cached); generated: 2024-04-26T21:49:48Z solvables: 21
rpm-md repo 'rpmfusion-nonfree-updates' (cached); generated: 2024-04-26T21:48:35Z solvables: 54
rpm-md repo 'rpmfusion-nonfree' (cached); generated: 2024-04-20T12:18:23Z solvables: 194
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2023-12-11T14:43:50Z solvables: 4
rpm-md repo 'fedora' (cached); generated: 2024-04-14T18:51:11Z solvables: 74881
rpm-md repo 'updates' (cached); generated: 2024-04-27T02:05:39Z solvables: 8161
rpm-md repo 'updates-archive' (cached); generated: 2023-10-06T17:04:49Z solvables: 0
Resolving dependencies...done
Installing 2 packages:
  google-chrome-stable-124.0.6367.91-1.x86_64 (google-chrome)
  liberation-fonts-1:2.1.5-9.fc40.noarch (fedora)
Installing: liberation-fonts-1:2.1.5-9.fc40.noarch (fedora)
Installing: google-chrome-stable-124.0.6367.91-1.x86_64 (google-chrome)
error: Error -1 running transaction

No signature problems, but …
Not sure what the -1 means, but I suppose I can look up the code when I get the time.

In the meantime, I do know that layering the RPM you download from Google’s website works. But IIRC updates don’t work. (At least that’s what I found in searching the Silverblue forums.) And I’m pretty sure it doesn’t check the signature.

As a (very ugly) workaround I’ve added a script to my custom build that downloads, verifies, and saves the very latest Chrome package from Google in the image, so you can layer it manually at runtime. I’m currently working on adding some automation that will automatically run rpm-ostree install to re-layer the package when it detects there’s a new version downloaded. It’s really inconvenient (two reboots required to get the latest Chrome), and I haven’t tested it with a Real Live Chrome Update yet, but it’s the only way I’ve gotten a native Chrome install to work.

Sorry for the late reply. I ended up just using Chromium and Firefox natively in order to be able to use the COPR of web-apps (a port from Linux Mint), since I have some use cases for PWAs.

I successfully installed regular Chrome via ostree.

Yes, installing Chrome by layering the downloaded RPM at runtime works. But you won’t get automatic updates without doing an uninstall-reinstall dance (sorry, can’t find the Fedora forum post that shows this at the moment).

After I did that, rpm-ostree upgrade failed when when there was a Chrome update, because it failed to install the updated RPM from the Chrome yum repo. I’ve observed that rpm-ostree will happily install directly from an RPM on disk, but for some reason it can’t handle an RPM it downloads from the repo.

@chicagonyc, are you getting automatic updates from Chrome? There was an update last week (to 124.0.6367.118 from 124.0.6367.91). Although the workaround I’ve baked in to my custom images are updating Chrome automatically now, I’d be happy to get rid of it if there’s a better way.

FWIW, I’m now able to install the Chrome RPM out of the Google repository on my custom images. The trick was to make sure that a there was a symlink to /usr/lib/opt/google in /opt at container build time, and there is, at least for now, a trick in the Bluebuild scripts that takes care of this nicely.

I successfully installed google-chrome-stable by removing gpgcheck

  1. nano /etc/yum.repos.d/google-chrome.repo
  2. Set gpgcheck to 0 (gpgcheck=0)
  3. Save (^X + Y + Enter)
  4. Replace local layer with repo layer: rpm-ostree uninstall google-chrome-stable && rpm-ostree install google-chrome-stable

I know this is not the best option, but it worked.
I don’t know if I will receive updates too, but I think I will;
It will just not check for the gpg key, which is a bad practice.

If someone know how I can restore the gpg key check, I will appreciate any help

I don’t think there is, unless you go through the trouble to make a custom image, and do all of the installation at build time. I’ve made updating work for me by manually importing the GPG keys and then doing rpm-ostree install with the yum repo enabled. If I don’t import the keys ahead of time, Chrome won’t install due to signature failures (see above).

Unfortunately, the reason I have to do that at container build time is because you can’t install the keys while the system is running.


Could you write a one-run script or a step-by-step tutorial on how to make the update work automatically (rpm-ostree)

Do the keys change every updates, or would it be possible to copy-paste them somewhere to make the installation and update work?

The short answer is I make updates work automatically by installing Chrome when I build my custom image (based on ublue/main and/or Bluefin). So it’s not an update in the usual sense. I just re-install it on a fresh container image instead of layering and having rpm-ostree handle the updates during rpm-ostree upgrade.

There seems to be an issue with the way Google signs its RPM packages that causes failures on updating. You can work around it by removing and re-importing the Google GPG keys. (I’m not sure why it works, but it does.) Unfortunately, you can’t do that on an atomic desktop with rpm-ostree, hence the need to build a custom image.

I have a script that can be called in a Containerfile or as part of a BlueBuild recipe that imports the key and enables the Google Chrome repo that already exists (!) in Silverblue. That allows me to include google-chrome-stable in the list of packages that I add to my image with rpm-ostree.

1 Like

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.