Security Question: Is there a reason childprocess is released as an unsigned gem?

[phil-monroe]

I recently ran into an issue upgrading childprocess (required by selenium-webdriver) on my machine due to me requiring the HighSecurity trust policy and got the following error via bundler:

The gem childprocess-3.0.0 can't be installed because the security policy didn't allow it, with the message: unsigned gems are not allowed by the High Security policy

to reproduce outside of bundler:

~% gem install childprocess -P HighSecurity
Fetching childprocess-3.0.0.gem
ERROR:  While executing gem ... (Gem::Security::Exception)
    unsigned gems are not allowed by the High Security policy

Which brings me to my question: Is this expected and if so, is there a technical reason why the gem is not signed when being published?

For reference:

• https://guides.rubygems.org/security/

[sds]

Is childprocess the only gem for which you're getting this error?

It is relatively rare in the RubyGems ecosystem to sign gems. Even rails (a massive project) does not sign its gems.

If we were to sign, you are putting trust in the supply chain of the set of people who are "owners" of the childprocess gem: https://rubygems.org/gems/childprocess. If you were to trust our certificate, you would trust any gem signed by our certificate. From https://guides.rubygems.org/security/

Gem certificates are trusted globally, such that adding a cert.pem for one gem automatically trusts all gems signed by that cert.

Do you want to extend that trust to us? I wouldn't—that's not a great trust model.

If you're particularly paranoid, the best you can hope to achieve is to visit the releases page, check that the signature on the release is signed by one of the maintainers, and then download that release and build and install the gem yourself locally. Hope that helps.

[phil-monroe]

@sds - Ahh good point! I was playing with the security settings and it seemed like this only affected childprocess and rubyzip, but I think that is because my machine had the other gems cached. Sorry for the confusion!

I totally agree that the gem signing ecosystem isn't the greatest of trust models, but the community is currently operating with the trust model that all of the contributors to gems have set up 2FA and that their rubygems.org accounts have not been compromised, which I feel is an even worse trust model.

I absolutely don't want to start a flame war over this, but in light of the recent compromises to gems that could destroy companies like mine, I'd like to think about and push the ruby/opensource communities to have better security, even if it's not perfect just yet.

It seems like you have a lot of experience maintaining gems and thinking about their security. I would love to pick your brain and bounce ideas off of you if you have time. If you are in SF I'd be happy to buy you a beer/coffee/drink to hear more about your thoughts.