Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Certificate used to sign the gem is expired #101
I have a Rails 6.0.0 application. Gem
The certificate was valid when the the tzinfo v1.2.5 gem was produced (2018-02-04).
RubyGems includes the signing certificate in the gem. When installing, RubyGems checks that the certificate contained within the gem is valid at the time of installation instead of checking that it was valid at the time the gem signature was produced. This means that this problem will be encountered with all signed gems where the certificate has since expired.
The current certificate in the repository is valid (it currently expires on 2019-10-27). This certificate shares the same RSA public key as as the certificate contained in the v1.2.5 gem, so it could in theory be used for verification. However, without rebuilding, there isn't any way to override the certificate included in the gem.
Sadly, the only work around appears to be to install without applying the trust policy. You can manually install just tzinfo and then install the rest of the bundle with the trust policy:
It is quite likely though that most of your other dependencies aren't signed and the trust policy option won't be doing much (unsigned certificates are allowed). I created a Gemfile referencing just rails v6.0.0. Out of the 42 gems that were installed, only two (tzinfo and minitest) were signed.
It's worth noting too that the MediumSecurity policy offers little security. An attacker could remove the signature and the modified gem would be installed without warning.
Thank you for detailed response. I'll try build and sign every dependency with my key and serve it from my own server. This enables option of HighSecurity policy. I'm sure that every big company that uses Ruby (like GitHub, Airbnb) follows this practice. However I don't know any software to automate it. Maybe I can create one, it looks like such software is needed in Ruby community.