To assure the validity of any software package, you need to:
Verify that the package has not been corrupted or maliciously tampered with by verifying the file's checksum.
Verify that the checksum has not been tampered with by validating a digital signature of that checksum.
Verify that the digital signature was produced by the package's publisher by authenticating the public key that was used to generate the digital signature.
If you can't do this, you can't verify the integrity of the package.
This gem allows cryptographic signing of ruby gems with OpenPGP instead of the current built-in signing method involving X.509.
A working installation of gpg.
An OpenPGP private key is required to sign gems, but not to verify.
gem build openpgp_signed_hola.gemspec --sign gem push openpgp_signed_hola-0.0.0.gem
A test gem openpgp_signed_hola is on rubygems.org. To try out this extension:
gem install openpgp_signed_hola-0.0.0.gem --trust --get-key
But That Just Failed!
You probably don't trust my public key. More information is available at The Complete Guide to Verifying Gems with rubygems-openpgp
The More You Know!
A detailed walkthrough of verifiction is available at The Complete Guide to Verifying Gems with rubygems-openpgp
Verifying your initial install
You can verify your initial install with a detached signature. Here's how.