You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I recently ran into an issue upgrading childprocess (required by selenium-webdriver) on my machine due to me requiring the HighSecurity trust policy and got the following error via bundler:
The gem childprocess-3.0.0 can't be installed because the security policy didn't allow it, with the message: unsigned gems are not allowed by the High Security policy
to reproduce outside of bundler:
~% gem install childprocess -P HighSecurity
Fetching childprocess-3.0.0.gem
ERROR: While executing gem ... (Gem::Security::Exception)
unsigned gems are not allowed by the High Security policy
Which brings me to my question: Is this expected and if so, is there a technical reason why the gem is not signed when being published?
Gem certificates are trusted globally, such that adding a cert.pem for one gem automatically trusts all gems signed by that cert.
Do you want to extend that trust to us? I wouldn't—that's not a great trust model.
If you're particularly paranoid, the best you can hope to achieve is to visit the releases page, check that the signature on the release is signed by one of the maintainers, and then download that release and build and install the gem yourself locally. Hope that helps.
@sds - Ahh good point! I was playing with the security settings and it seemed like this only affected childprocess and rubyzip, but I think that is because my machine had the other gems cached. Sorry for the confusion!
I totally agree that the gem signing ecosystem isn't the greatest of trust models, but the community is currently operating with the trust model that all of the contributors to gems have set up 2FA and that their rubygems.org accounts have not been compromised, which I feel is an even worse trust model.
I absolutely don't want to start a flame war over this, but in light of the recent compromises to gems that could destroy companies like mine, I'd like to think about and push the ruby/opensource communities to have better security, even if it's not perfect just yet.
It seems like you have a lot of experience maintaining gems and thinking about their security. I would love to pick your brain and bounce ideas off of you if you have time. If you are in SF I'd be happy to buy you a beer/coffee/drink to hear more about your thoughts.
I recently ran into an issue upgrading
childprocess
(required by selenium-webdriver) on my machine due to me requiring theHighSecurity
trust policy and got the following error via bundler:to reproduce outside of bundler:
Which brings me to my question: Is this expected and if so, is there a technical reason why the gem is not signed when being published?
For reference:
The text was updated successfully, but these errors were encountered: