Skip to content
This repository was archived by the owner on Feb 26, 2024. It is now read-only.

Add a gem signatures command#51

Merged
rochlefebvre merged 1 commit into
mainfrom
add-signatures-command
Dec 17, 2021
Merged

Add a gem signatures command#51
rochlefebvre merged 1 commit into
mainfrom
add-signatures-command

Conversation

@rochlefebvre
Copy link
Copy Markdown

@rochlefebvre rochlefebvre commented Dec 16, 2021
edited
Loading

Closes #35, replaces #49. I will update #35 with our discussion and decisions.

🎩

Help (proper copy and USAGE will come in later PRs)

➜  ruby-sigstore git:(add-signatures-command) ✗ gem help signatures
Usage: gem signatures [options]

  Options:
    -s, --[no-]sign                  Sign the gem(s)
    -v, --[no-]verify                Verify gem signatures
        --identity-token TOKEN       Provide a static token for signing in automated environments


  Common Options:
    -h, --help                       Get help on this command
    -V, --[no-]verbose               Set the verbose level of output
    -q, --quiet                      Silence command progress meter
        --silent                     Silence RubyGems output
        --config-file FILE           Use this config file instead of default
        --backtrace                  Show stack backtrace on errors
        --debug                      Turn on Ruby debugging
        --norc                       Avoid loading any .gemrc file


  Arguments:
    GEMNAME        name of gem to sign or verify

  Summary:
    Create and verify gem signatures

Default command behaviour: --verify

➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures ruby-sigstore-0.1.0.gem
Verifying ruby-sigstore-0.1.0.gem
No valid signatures found for digest 394e2309bc47021c09322e89127527b10f930768e7951b1c215480408468b532

Short and long forms for --verify

➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures -v ruby-sigstore-0.1.0.gem
Verifying ruby-sigstore-0.1.0.gem
No valid signatures found for digest 394e2309bc47021c09322e89127527b10f930768e7951b1c215480408468b532
➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures --verify ruby-sigstore-0.1.0.gem
Verifying ruby-sigstore-0.1.0.gem
No valid signatures found for digest 394e2309bc47021c09322e89127527b10f930768e7951b1c215480408468b532

Long form for --sign (signing with my @Shopify address)

➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures --sign ruby-sigstore-0.1.0.gem
Fulcio certificate chain
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq
MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu
ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy
A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas
taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm
MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u
Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx
Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup
Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
-----END CERTIFICATE-----

Sending gem digest, signature & certificate chain to transparency log.
https://rekor.sigstore.dev/api/v1/log/entries/1df847bd45d8[...]7731937495475

Verify works when the gem is signed

➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures --verify ruby-sigstore-0.1.0.gem
Verifying ruby-sigstore-0.1.0.gem
:noice:
Signed by non-maintainer: roch.lefebvre@shopify.com

Sign and then verify in the same command (signing with my @gmail address)

➜  ruby-sigstore git:(add-signatures-command) ✗ gem signatures --sign --verify ruby-sigstore-0.1.0.gem
Fulcio certificate chain
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq
MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu
ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy
A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas
taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm
MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u
Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx
Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup
Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
-----END CERTIFICATE-----

Sending gem digest, signature & certificate chain to transparency log.
https://rekor.sigstore.dev/api/v1/log/entries/0c55848e4fa[...]3dba24fd0cf662647f48b2
Verifying ruby-sigstore-0.1.0.gem
:noice:
Signed by non-maintainers: re.dacted@gmail.com and roch.lefebvre@shopify.com

@rochlefebvre rochlefebvre force-pushed the add-signatures-command branch from 0349c06 to e42802d Compare December 16, 2021 19:38
rochlefebvre
rochlefebvre commented Dec 16, 2021
View reviewed changes
Comment thread lib/rubygems/commands/signatures_command.rb
# end

def execute
gem_path = get_one_gem_name
Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will add support for 1+ gems as part of #32.

rochlefebvre
rochlefebvre commented Dec 16, 2021
View reviewed changes
Comment thread lib/rubygems/commands/signatures_command.rb Outdated
rochlefebvre
rochlefebvre commented Dec 16, 2021
View reviewed changes
Comment thread lib/rubygems_plugin.rb
require 'rubygems/command_manager'
require 'rubygems/sigstore'
require 'rubygems/commands/signatures_command'
require 'rubygems/commands/sign_command'
Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a follow up PR, we'll rip out the dedicated sign and verify commands.

rochlefebvre
rochlefebvre commented Dec 16, 2021
View reviewed changes
Comment thread test/test_signatures_command.rb

@gem_path = gem_path("hello-world.gem")
@cmd = Gem::Commands::SignaturesCommand.new
end
Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I chose to move the request stubbing into the tests. There is no overlap between signing and verifying requests.

@rochlefebvre rochlefebvre marked this pull request as ready for review December 16, 2021 19:45
@rochlefebvre rochlefebvre requested a review from a team December 16, 2021 19:46
jchestershopify
jchestershopify approved these changes Dec 16, 2021
View reviewed changes
Copy link
Copy Markdown

@jchestershopify jchestershopify left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions, but otherwise LGTM.

Comment thread lib/rubygems/commands/signatures_command.rb
Comment on lines +51 to +53
# def usage # :nodoc:
# "gem signatures GEMNAME"
# end
Copy link
Copy Markdown

@jchestershopify jchestershopify Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be commented out? Removed?

Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Dec 16, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought of leaving it as an eyesore so we write a proper usage blurb in a follow up documentation/copy PR.

Comment thread lib/rubygems/commands/signatures_command.rb
Comment thread lib/rubygems/commands/signatures_command.rb Outdated
Comment thread lib/rubygems/commands/signatures_command.rb Outdated
@doodzik doodzik mentioned this pull request Dec 17, 2021
Merged
@rochlefebvre rochlefebvre force-pushed the add-signatures-command branch from e42802d to 7c00ea3 Compare December 17, 2021 14:16
@rochlefebvre rochlefebvre merged commit c5869f7 into main Dec 17, 2021
@rochlefebvre rochlefebvre mentioned this pull request Dec 17, 2021
Closed
@jchestershopify jchestershopify mentioned this pull request Dec 17, 2021
Closed
@aellispierce aellispierce mentioned this pull request Dec 21, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@doodzik doodzik doodzik approved these changes

@jchestershopify jchestershopify jchestershopify approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Consider renaming gem verify to something more focused

4 participants

@rochlefebvre @doodzik @jchestershopify @aellispierce