Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: sign gems #68

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: sign gems #68

wants to merge 4 commits into from

Conversation

fauno
Copy link

@fauno fauno commented Jan 8, 2025

adds gem signing to gem-compiler

https://guides.rubygems.org/security/

luislavena
luislavena requested changes Jan 8, 2025
View reviewed changes
Copy link
Owner

@luislavena luislavena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @fauno, thank you for your PR. I have some comments on it that could possibly require changes.

As I'm not familiar with recent RubyGems developments around signing, it will be great if you can provide a bit more verbose context/background on the feature and the expected behavior.

Thank you.

lib/rubygems/compiler.rb
Comment on lines +71 to +74
if @options[:sign_private_key_file]
gemspec.cert_chain = [@options[:sign_cert_file]]
gemspec.signing_key = @options[:sign_private_key_file]
end
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I understand of this, if you provide --sign via the CLI, it then will take whatever is the value of @options[:sign_cert_file] as part of the chain, but that option is not validated.

Is OK for the gemspec to have a cert_chain with [nil] in it?

If not, then --cert must be required once --sign is used and thus, require validation.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, currently you would have an exception thrown because the cert isn't valid. I'll provide an error message!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@fauno
Copy link
Author

fauno commented Jan 9, 2025

As I'm not familiar with recent RubyGems developments around signing, it will be great if you can provide a bit more verbose context/background on the feature and the expected behavior.

With gem cert you can manage self-signed certs for your email and use it to sign gems. To actually verify the gems you need to add the cert to your cert store and use -P HighSecurity so it fails when it can verify signatures.

This PR allows gem compile to sign gems, not many gems are actually signed (I remember reading someone's trying to solve this). In our case it allows to verify gems from our repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luislavena luislavena luislavena requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fauno @luislavena