Bug#911189: src:gpgme1.0: please ship gpgme-json with native messaging hooks for chromium and firefox

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#911189: src:gpgme1.0: please ship gpgme-json with native messaging hooks for chromium and firefox

Daniel Kahn Gillmor-3
Package: src:gpgme1.0
Version: 1.12.0-1
Severity: wishlist

as of gpgme 1.12.0-1, GPGME ships a javascript binding that works with
so-called "Native Messaging" in both chrome and firefox.

we should ship this as a separate binary package, along with the
appropriate extension manifests.

for more details, see lang/js/README in the GPGME sources, and the
following web references:

  Firefox:
    https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging
    https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests

  Chrome:
    https://developer.chrome.com/extensions/nativeMessaging

I plan to work on this, but if anyone wants to send patches before i
get to it, i'd be happy to get them too :)

at the moment, i assume that we just would disallow access to any
extensions, until some extension shows up that wants to use it.

We probably also need to build gpgme.js, which will require working
with node.

i don't know how we'll get the test suites to run cleanly yet either.

    --dkg

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply | Threaded
Open this post in threaded view
|

Bug#911189: src:gpgme1.0: please ship gpgme-json with native messaging hooks for chromium and firefox

Dr. Oliver Muth-2
Package: libgpgme11
Version: 1.12.0-4~bpo9+1
Followup-For: Bug #911189

Dear Maintainer,

the Firefox and Chrome extension Mailvelope needs gpgme-json.
The extension provides GPG encryption/decryption via webmail.



-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-0.bpo.1-amd64 (SMP w/3 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE:de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgpgme11 depends on:
ii  gnupg          2.2.12-1~bpo9+1
ii  gpg            2.2.12-1~bpo9+1
ii  libassuan0     2.5.2-1~bpo9+1
ii  libc6          2.24-11+deb9u3
ii  libgpg-error0  1.26-2

Versions of packages libgpgme11 recommends:
ii  dirmngr         2.2.12-1~bpo9+1
ii  gpg-agent       2.2.12-1~bpo9+1
ii  gpg-wks-client  2.2.12-1~bpo9+1
ii  gpgsm           2.2.12-1~bpo9+1

libgpgme11 suggests no packages.

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#911189: gpgme-json chromium/firefox packaging

Daniel Kahn Gillmor-3
In reply to this post by Daniel Kahn Gillmor-3
Hi Maximilian--

On Wed 2019-07-10 10:12:37 +0200, Maximilian Krambach wrote:
> I have been tasked to prepare "debian packages" for the gpgme-json browser
> integration, to ease installation of native messaging between gnupg and browser
> extensions.

great, thanks for working on this!  I assume you're aware of
https://bugs.debian.org/911189 (in cc as well).  That's the best place
to talk about the debian packaging for this stuff.

> I'm working on a patch for salsa.debian.org/debian/gpgme/, as I think this is
> probably the best place for it.

Sounds reasonable to me.

> Basically, the two packages (chromium-gpgme and firefox-gpgme) just need to
> ensure that the gpgme-json binary ships, and that a configuration file is
> present at paths the browsers like.
>
> My question:
> Is it okay and maintainable to add "approved" extension ids (in this case,
> mailvelope) to these configuration files?
>
> In the end, it is an authorization between the extension(s) and the browser
> (based on ids assigned by the browser publisher).
> gpgme-json itself does not care who communicates with them (as long as it stays
> the same actor). Still, I have the feelings that some link between worlds is
> created that may not be desired.
This is an excellent question, and one that i did not figure out the
answer to when i was briefly researching the situation.

I wonder whether it makes more sense (and whether it's possible) to ship
the gpgme-json binary and wrapper files in one package, without any
"approved" extension IDs.  And then in the extension-specific package
(e.g. the "mailvelope" package), include the approved extension IDs.
Does that even make sense?  I don't remember the exact layouts expected.

Thanks for stepping up to do this work!

     --dkg

signature.asc (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#911189: gpgme-json packaging

Teemu Ikonen-2
In reply to this post by Daniel Kahn Gillmor-3
Has there been any progress with this bug?

gpgme-json is already built in the Debian sources, so adding it to a
(possibly separate) binary package should not be a big problem. Are
there tests failing or missing?

Best,
Teemu