Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Add cryptographic signature to the gem #660

cheald opened this Issue · 0 comments

2 participants


In light of the recent Rubygems security issues, I think it would be prudent to add a signature to the gem and include it in releases. This isn't something I can issue a PR for, since you (the project owner) would need to own the cert files.

The how-to is here:


  1. gem cert --build
  2. Copy the private key somewhere safe
  3. Add the public key to the repo (git add gem-public_cert.pem)
  4. Update the gemspec with something like:

    s.signing_key = '/home/chris/.gemcert/gem-private_key.pem'
    s.cert_chain = ['gem-public_cert.pem']

  5. Push and rake release

While this would be a self-signed certificate, the presence of the pubkey in the canonical repo will allow people verify that the gem they installed from Rubygems (or where ever) was signed by the project maintainer, and has not been altered.

@sferik sferik closed this issue from a commit
@sferik sferik Add cryptographic signature
Closes #660.
@sferik sferik closed this in 18431b0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.