gpgme-json chromium/firefox packaging

Daniel Kahn Gillmor dkg at
Fri Jul 12 04:45:32 CEST 2019

Hi Maximilian--

On Wed 2019-07-10 10:12:37 +0200, Maximilian Krambach wrote:
> I have been tasked to prepare "debian packages" for the gpgme-json browser 
> integration, to ease installation of native messaging between gnupg and browser 
> extensions.

great, thanks for working on this!  I assume you're aware of (in cc as well).  That's the best place
to talk about the debian packaging for this stuff.

> I'm working on a patch for, as I think this is 
> probably the best place for it.

Sounds reasonable to me.

> Basically, the two packages (chromium-gpgme and firefox-gpgme) just need to 
> ensure that the gpgme-json binary ships, and that a configuration file is 
> present at paths the browsers like.
> My question:
> Is it okay and maintainable to add "approved" extension ids (in this case, 
> mailvelope) to these configuration files?
> In the end, it is an authorization between the extension(s) and the browser 
> (based on ids assigned by the browser publisher).
> gpgme-json itself does not care who communicates with them (as long as it stays 
> the same actor). Still, I have the feelings that some link between worlds is 
> created that may not be desired.

This is an excellent question, and one that i did not figure out the
answer to when i was briefly researching the situation.

I wonder whether it makes more sense (and whether it's possible) to ship
the gpgme-json binary and wrapper files in one package, without any
"approved" extension IDs.  And then in the extension-specific package
(e.g. the "mailvelope" package), include the approved extension IDs.
Does that even make sense?  I don't remember the exact layouts expected.

Thanks for stepping up to do this work!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list