A demonstration web application showing how to integrate GPG signing functionality into a web page using gpgme-json, similar to Mailvelope's approach.
This demo shows:
- How to list available GPG keys
- How to sign messages using selected keys
- How to verify PGP signatures
- A clean web interface for GPG operations
This demo uses a backend proxy server to communicate with your local gpgme-json installation. The architecture:
- Web Frontend: JavaScript client that makes API calls
- Bun Server: Acts as a proxy between the web page and gpgme-json
- gpgme-json: Native application that interfaces with your local GPG installation
This approach avoids the need for browser extensions while still providing access to your real GPG keys.
# Install dependencies
bun install
# Start the development server
bun run dev
# Open http://localhost:3000 in your browserweb-gpgme/
├── public/
│ ├── index.html # Main demo page
│ └── js/
│ ├── gpgme-client.js # GPGME-JSON client wrapper
│ └── app.js # Application logic
├── src/
│ └── server.ts # Bun web server
└── package.json
- gpgme-client.js: Provides a JavaScript interface to communicate with gpgme-json
- app.js: Implements the UI logic - listing keys, handling user input, and displaying results
- index.html: Simple, clean interface for signing messages
- gpgme-json: Must be installed on your system (usually comes with GPGME)
- GPG: With at least one secret key configured
- Bun: JavaScript runtime (already included in the Nix flake)
The server provides the following API endpoints:
GET /api/version- Get GPGME version informationGET /api/keys?secret_only=true- List available GPG keysPOST /api/sign- Sign a message with a specific keyPOST /api/encrypt- Encrypt a messagePOST /api/decrypt- Decrypt a messagePOST /api/verify- Verify a signature
- Never expose private keys in the browser
- All cryptographic operations should happen in gpgme-json
- Validate all input before passing to GPG
- Use HTTPS in production
- Consider implementing passphrase caching policies