Signing rubygems - Pasteable instructions Pro's/Con's

Using gem install project-name -P HighSecurity to only install signed gems can prevent gem tampering, it is easy to set up, but very hard to enforce since you must manually trust each of the gem authors public keys.

Ideally we need something like “trusted gem certs” which would be a default list maintained on rubygems.org and built into the gem install command.

Setup a self-signed cert

Initial

cd ~/.ssh
gem cert --build your@email.com
chmod 600 gem-p*
mv gem-private_key{,_YOUR-NAME}.pem

Repeat once per gem you own

cd gem-folder
cp ~/.ssh/gem-public_cert.pem .

add to your gemspec:

  ...
  cert = File.expand_path("~/.ssh/gem-private_key_YOUR-NAME.pem")
  if File.exist?(cert)
    s.signing_key = cert
    s.cert_chain = ["gem-public_cert.pem"]
  end
  ...

the YOUR-NAME part makes sure that other people with certs in their home folder do not run into signing errors when using as github dependency.

Installing local certs

gem build project-name.gemspec
gem install project-name-0.1.0.gem -P HighSecurity # Hurray it fails!

gem cert --add gem-public_cert.pem
gem install project-name-0.1.0.gem -P HighSecurity # Hurray it works!

Installing remote certs

curl https://raw.github.com/grosser/parallel/master/gem-public_cert.pem > cert
gem cert --add cert
rm cert

comments powered by Disqus