Apps are essentially a metadata wrapper around a URL^. The payment authorization is done server-to-server. Thus you could buy an app in Firefox and authorization would still work fine, the UX just won't be as nice.

^ We are also considering supporting fully packaged apps that are completely offline, like Chrome extensions are today -- these won't work in other browsers because they don't understand our package format.

Using bundled packages for offline support is entirely the wrong strategy. The coupling is too tight even before you start trying to use the same format for multiple browsers.

You should just copy Apple and just make it easy to save web pages as local apps, though you might want to explicitly offer with an infobar when there's a manifest available. What they already look for is all you need:

  <html manifest="..."> and window.applicationCache
  <meta name="application-name"> and <meta name="application-url">
  <link rel="icon" sizes="..."> or <link rel="apple-touch-icon">

Here they explain how they do it http://code.google.com/chrome/apps/docs/developers_guide.htm...

The capability model for requesting extra permissions is terrific, but it should have been done using <meta> or <link> tags -- reusing their bundle format for extensions was a terrible idea, especially since they're going to have to implement all the DOM-based stuff anyway.

Will you make the spec for the package format open, so other browsers would be able to implement support for fully packaged apps?

All of chrome is open source and the format is already documented -- other browsers are welcome to implement it, or just take the code if they want.