Rubygems-openpgp 0.5.0 released - Now with key continuity checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

rubygems-openpgp 0.5.0 Released

rubygems-openpgp is a rubygems plugin that allows you to sign and
verify your gems with OpenPGP.

Verifying is as simple as:

gem install openpgp_signed_hola --verify --trust

Signing is as simple as:

gem build foo.gemspec --sign

Now with ssh-style Key Continuity Checks!


rubygems-openpgp now tracks the keys used to sign your gems and will
error out if the signing key for a given gem has changed. This works
the same way ssh does when you connect to a host where the key has
changed.

You can then investigate, and assuming the key change is valid, you
can remove the appropriate entry in ~/.rubygems-openpgp/known_gems to
allow installation to complete.

Other Minor Improvements


  • Gem name is shown before verification status. Previously it was
    confusing to see multiple verification messages when gem
    dependencies were verified.

  • Generic gpg code was extracted into the gpg_status_parser gem for
    easier re-use.

  • Signing/verifying now skips X.509 signatures if they exist. We only
    sign/verify the real payload.

  • Minor improvements for Windows users. We don’t output invalid
    unix-style color codes on windows, or print stuff like ‘~/path’ that
    doesn’t make sense on windows.

Learn More at the rubygems-openpgp Certificate Authority


Several guides, walkthroughs, and documents explaining my motivations
are available at the rubygems-openpgp Certificate
Authority
.

Note that use of the Certificate Authority itself is entirely
optional; users of rubygems-openpgp can apply whatever trust model
they wish when verifying gems.

Verifying Your Initial Install


Existing users of rubygems-openpgp can verify the install with
rubygems-openpgp itself:

gem install rubygems-openpgp --verify --trust

It is recommended that new users fetch the gem and verify it against a
detached signature. Instructions on how to do so can be found at the
Guide to Verifying Your Initial Install.

Detached signature for the 0.5.0 release

  • -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJRPJY3AAoJEP5F5V2hilTWVj8H/2R3Ue+4lJxbpZwu/cOodlWb
ApflZwrhOnGHjxswL7cV7Rf15sPP9WHUvNf/n8Cuc4hHKArW7/wwdw1LP4wmrRz4
8RxKx8kR7An9JFvs9HhrDt1BvS/j9moaKn//lZfZV7LPIEEuHEUTCNCtHkuV/oBG
LH9tNSMs1CO1D1kkPyxc2aXZm0mRpygWrS1YskJPy7xdR2aNQk4LHJNF168m+XJH
2l8U29QgoCpD0W4iL+6ooyY2lyVFWYhQbBd7ojVRG16Q8CxUf4+ZNey+3tgchVEP
qBFa4M/+m2LoVdCGPOL8meFMytDR75J4VGWtGmRxjfhBeOeNVhneIQT5C6fHCfw=
=Qxhv

  • -----END PGP SIGNATURE-----

Enjoy


    • Grant
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJRPJyJAAoJEP5F5V2hilTWdAIH/0ilwAgccGbRPlchLXhdyWg4
FN3kUL0S6dIQiSPyhk/AooB5fIEuG3jyKW8XMzx6RoBbnt/2j7ACrvcus7hCW3AM
sjO/Q4RJyR8qY9oceyKl64wTHA5wssmfUn7brVJp9L8vehXAYfeFjcJTmXbh7FBO
RyowFLq87ByCrrLj+VGro9AkMfoV84B26Td8XDoVDEkRehQw9b9eZu3CNEkqUl/o
8BPdZhCosj4peSB0H77kw6SwDBenGEwQ8R+EVBo1NmsydsdsKUGrk0WyduMyhT8I
VTeX574eh1/TGwnkCX7eQcGlQc1fbTSaPLPS52CcUl5Bwfh5Dwnx7PUjIIGsPyw=
=zhHZ
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/10/2013 10:45 AM, Grant Olson wrote:

rubygems-openpgp 0.5.0 Released ===============================

And… 0.5.1 wasn’t far behind.

I just did a release to fix a minor issue where a Windows user
couldn’t re-sign a gem generated on a linux box. This should not
affect most users, however you will need to use a new detached
signature to verify the initial install:

  • -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJRPMTkAAoJEP5F5V2hilTWuBMH/30hvYMpCP6dawq6LwufKTgB
w+hsiII3nRshCo6yicYs8kBsT/7oSc7XZg1q3oHXQgJdal/eLBdVEOXdZ8a7zKPh
SjvuHRSBpei3wA1DjPAvJxqjdGOX883rzDLRtP+pvyzazeO6Fj/8d/c8Y6YArEf5
gwWdaA2s0XXdecH21yWMZPKD3x2YQEARCJJWhyngt+FW5ZHlaAwXPkhpAptzchEe
MC8ThY4WZIPRc3+O9II93wGcNJu3T0sOg5NUzgT6vNLzCOtNLNe/hpD/QWUt/5za
RbwqxGcP0QyNDEZQTVpLTBiiq++qyGRUb7cySTDVBqgwasal19VmVsflhTCbBt0=
=mU3L

  • -----END PGP SIGNATURE-----
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJRPMogAAoJEP5F5V2hilTWkjIH/2pU77IW3Qj94e7JXPsYZDIh
xMviYfHEZnKHYhet8Zv09DMcKZJ1oSQkv6q/vJ9c3OTE+rdh+mdLh3eQm+UUEs6r
Q7hxMdeVkZfL7PleFapqpVtsXz+239RgGl9pTcyvowpNqrXBhHbN1hnuiO2zXsF4
zlPXJP9BMJp0vpTDZ4BT6b6P0LSLdNcKso82qA7FwEfgVugw+PP/ktpcYsYEjI8f
hjloROfTAITquUK+NDEp1gzDHocfTPNEzkK8RHKWaEnT/0bDfPPDDjihDlxiw/+B
6PBZAxIf8cjP2/8iSVwzWFHkTiEsBUnJfNV/G6sNxNN1ayQcaYOjdaxsuZCaNYg=
=4rOl
-----END PGP SIGNATURE-----

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs