make verify command work in bundler#50
Conversation
doodzik
force-pushed
the
bundler_verify_command
branch
2 times, most recently
from
dcfc548 to
d7ac873
Compare
|
|
||
| class Gem::Commands::InstallCommand | ||
| alias_method :original_execute, :execute | ||
| def execute |
There was a problem hiding this comment.
Any particular reasons why we're not leveraging the pre_install hook for plugins? I would only reopen the command class and redefine its entry method if necessary.
There was a problem hiding this comment.
I changed it here so I had fewer things to check when I tested the gem. I didn't intend for this change to be permanent.
| @@ -0,0 +1,29 @@ | |||
| class Gem::SecurityPolicy | |||
There was a problem hiding this comment.
Security policy sounds very broad. How about we start with Signing Policy?
doodzik
force-pushed
the
bundler_verify_command
branch
5 times, most recently
from
8950d32 to
94f00dd
Compare
| end | ||
| end | ||
| rescue Gem::SigstoreException => ex | ||
| rescue StandardError => ex |
There was a problem hiding this comment.
Gem::SigstoreException doesn't exist at the moment. We can implement proper error handling in a followup PR since it is outside of the scope of this PR.
There was a problem hiding this comment.
Yup, I have hit this same problem. I will create an issue to track the introduction of a proper exception hierarchy.
|
As a followup to this PR and #51 we can consolidate the logic for the verify command into one spot. |
| if (package = installer.package) | ||
| gem_path = package.gem.path | ||
|
|
||
| pp "Verifying #{gem_path}" |
There was a problem hiding this comment.
Let's use rubygems' own UI printing commands, like say.
say "Verifying #{gem_path}"
There was a problem hiding this comment.
Given that @doodzik is out for the year, maybe we could do this in a followup PR?
There was a problem hiding this comment.
I have pulled down his branch to replace pp with say. Otherwise the PR looks good to me.
|
|
||
| pp "Verifying #{gem_path}" | ||
|
|
||
| raise Gem::CommandLineError, "#{gem_path} is not a file" unless File.file?(gem_path) |
There was a problem hiding this comment.
Decent placeholder until we address #37.
add siging_policy
rochlefebvre
force-pushed
the
bundler_verify_command
branch
from
94f00dd to
f9684af
Compare
4 participants
This PR fixes #36 and enables the usage of gem signature verifying with the usage of bundler.
I'm mainly copied the existing verify command and had to adjust the code a bit because I don't have the command class available. I also introduced a concept of
signing-policy, which will enable us to provide different signing stories.Running the gem command with the signing-policy env variable
Running bundler with the --verbose flag and the signing-policy env variable
I added a raise statement to the command to see if it would fail bundle install and it did.
I tested the commands with the
gemandbundlercommand and it works for both.Feel free to merge this PR or make changes to it.