You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In light of the recent Rubygems security issues, I think it would be prudent to add a signature to the gem and include it in releases. This isn't something I can issue a PR for, since you (the project owner) would need to own the cert files.
While this would be a self-signed certificate, the presence of the pubkey in the canonical repo will allow people verify that the gem they installed from Rubygems (or where ever) was signed by the project maintainer, and has not been altered.
The text was updated successfully, but these errors were encountered:
In light of the recent Rubygems security issues, I think it would be prudent to add a signature to the gem and include it in releases. This isn't something I can issue a PR for, since you (the project owner) would need to own the cert files.
The how-to is here:
http://docs.rubygems.org/read/chapter/21
TL;DR:
gem cert --build your@email.com
Copy the private key somewhere safe
Add the public key to the repo (
git add gem-public_cert.pem
)Update the gemspec with something like:
s.signing_key = '/home/chris/.gemcert/gem-private_key.pem'
s.cert_chain = ['gem-public_cert.pem']
Push and rake release
While this would be a self-signed certificate, the presence of the pubkey in the canonical repo will allow people verify that the gem they installed from Rubygems (or where ever) was signed by the project maintainer, and has not been altered.
The text was updated successfully, but these errors were encountered: