Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate used to sign the gem is expired #101

Closed
kotovalexarian opened this issue Oct 9, 2019 · 2 comments

Comments

@kotovalexarian
Copy link

commented Oct 9, 2019

I have a Rails 6.0.0 application. Gem activesupport depends on tzinfo. When I install gems with command bundle install --trust-policy MediumSecurity I get the following error:

kotovalexarian@kotovalexarian:~/repos/github/libertarian-party/partynest$ bundle install --trust-policy MediumSecurity 
Fetching gem metadata from https://rubygems.org/.........
Using rake 13.0.0
Using concurrent-ruby 1.1.5
Using i18n 1.7.0
Using minitest 5.12.2
Using thread_safe 0.3.6
Fetching tzinfo 1.2.5
The gem tzinfo-1.2.5 can't be installed because the security policy didn't allow it, with the message: certificate /CN=phil.ross/DC=gmail/DC=com not valid after 2018-10-23 19:46:02 UTC
@philr

This comment has been minimized.

Copy link
Member

commented Oct 9, 2019

The certificate was valid when the the tzinfo v1.2.5 gem was produced (2018-02-04).

RubyGems includes the signing certificate in the gem. When installing, RubyGems checks that the certificate contained within the gem is valid at the time of installation instead of checking that it was valid at the time the gem signature was produced. This means that this problem will be encountered with all signed gems where the certificate has since expired.

The current certificate in the repository is valid (it currently expires on 2019-10-27). This certificate shares the same RSA public key as as the certificate contained in the v1.2.5 gem, so it could in theory be used for verification. However, without rebuilding, there isn't any way to override the certificate included in the gem.

Sadly, the only work around appears to be to install without applying the trust policy. You can manually install just tzinfo and then install the rest of the bundle with the trust policy:

gem install tzinfo -v 1.2.5
bundle install --trust-policy MediumSecurity

It is quite likely though that most of your other dependencies aren't signed and the trust policy option won't be doing much (unsigned certificates are allowed). I created a Gemfile referencing just rails v6.0.0. Out of the 42 gems that were installed, only two (tzinfo and minitest) were signed.

It's worth noting too that the MediumSecurity policy offers little security. An attacker could remove the signature and the modified gem would be installed without warning.

@kotovalexarian

This comment has been minimized.

Copy link
Author

commented Oct 9, 2019

Thank you for detailed response. I'll try build and sign every dependency with my key and serve it from my own server. This enables option of HighSecurity policy. I'm sure that every big company that uses Ruby (like GitHub, Airbnb) follows this practice. However I don't know any software to automate it. Maybe I can create one, it looks like such software is needed in Ruby community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.