Skip to content

This allows you to cryptographically sign ruby gems, so that a user can later verify that they've downloaded a copy that hasn't been tampered with or hacked.

License

Notifications You must be signed in to change notification settings

grant-olson/rubygems-openpgp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

rubygems-openpgp

Software Assurance

To assure the validity of any software package, you need to:

  • Verify that the package has not been corrupted or maliciously tampered with by verifying the file's checksum.

  • Verify that the checksum has not been tampered with by validating a digital signature of that checksum.

  • Verify that the digital signature was produced by the package's publisher by authenticating the public key that was used to generate the digital signature.

If you can't do this, you can't verify the integrity of the package.

This gem allows cryptographic signing of ruby gems with OpenPGP instead of the current built-in signing method involving X.509.

Read more about why we should use OpenPGP. Here's the slides and video from a lightning talk I did at Pittsburgh.rb.

Prerequisites

A working installation of gpg.

An OpenPGP private key is required to sign gems, but not to verify.

Getting started with gpg.

Signing example

gem build openpgp_signed_hola.gemspec --sign
gem push openpgp_signed_hola-0.0.0.gem

Verification Example

A test gem openpgp_signed_hola is on rubygems.org. To try out this extension:

gem install openpgp_signed_hola-0.0.0.gem --trust --get-key

But That Just Failed!

You probably don't trust my public key. More information is available at The Complete Guide to Verifying Gems with rubygems-openpgp

The More You Know!

A detailed walkthrough of verifiction is available at The Complete Guide to Verifying Gems with rubygems-openpgp

Verifying your initial install

You can verify your initial install with a detached signature. Here's how.

About

This allows you to cryptographically sign ruby gems, so that a user can later verify that they've downloaded a copy that hasn't been tampered with or hacked.

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Languages