-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
rubygems-openpgp 0.6.0 Released
rubygems-openpgp is a rubygems plugin that allows you to sign and
verify your gems with OpenPGP.
Verifying is as simple as:
gem install openpgp_signed_hola --trust
Signing is as simple as:
gem build foo.gemspec --sign
Now With rubygems.org Owner Verification Checks
When verifying a gem we now query rubygems.org for a list of valid gem
owners and ensure that the gem’s signature comes from:
-
One of the listed owners at rubygems.org.
-
Via a UID that has been authenticated by the user.
This prevents a few potential exploits:
- Previously a user could get you to authenticate their key for a
legitimate gem, somehow deliver an illegitimate gem, and you would
have trusted the signature.
The owner verification check will now fail because this particular
user doesn’t have rights on this particular gem.
-
A user could get you to authenticate their key for a legitimate
gem via an innocuous email address such as [email protected] and
then later add a UID for a known user like dhh@37signals in an
attempt to obfuscate the signing key’s origin.The owner verification check will now ignore the new forged email
address because it hasn’t been authenticated by the user.
Verification can be shut off with the flag --ignore-owner-check if
(for example) you’re installing a gem without a network connection.
Other Minor Improvements
-
–trust now automatically assumes that you want to verify. You
don’t need both flags. -
We provide installer links if we can’t detect a working copy of
gpg. -
Added --trust option to the
gem verifycommand. -
We properly display OpenPGP short ids as 8 characters of hex, not
nine.
Learn More at the rubygems-openpgp Certificate Authority
Several guides, walkthroughs, and documents explaining my motivations
are available at the rubygems-openpgp Certificate
Authority.
Note that use of the Certificate Authority itself is entirely
optional; users of rubygems-openpgp can apply whatever trust model
they wish when verifying gems.
Verifying Your Initial Install
Existing users of rubygems-openpgp can verify the install with
rubygems-openpgp itself:
gem install rubygems-openpgp --verify --trust
It is recommended that new users fetch the gem and verify it against a
detached signature. Instructions on how to do so can be found at the
Guide to Verifying Your Initial
Install.
Detached signature for the 0.6.0 release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQEcBAABAgAGBQJRRf0qAAoJEP5F5V2hilTWnhwIAIeCxmyiUT4C7/VPLvpwPypX
IGrhaA3hZZzknAh2MxKx+OPiWDt7ynvSlfdbdYbkSbiKv4ho4husLrhfGV7COKws
HImXCE4SF+Zhb2WifI7haSCRfrZ4M0z/4adalcB4GpkDRmRYuw1RI92PDLOADLSD
u80FPfEF2ekRJqFAUU1Ayzpl8MCfl8e6uzj2CZ8CKtceApb6HZbdWA/jhvuIjXXM
tJDAE22rugFw8ba6e9iinFHYpo9XYMG551YzR70lAqWXtxjgAM3jVDGlAXpkQGxM
9WTas7RRYmLH1h+JvB/DFR61oZaC3gzBP1IS42KOnXywwcq/rK6/CltPf6MZtco=
=aA4r
- -----END PGP SIGNATURE-----
Enjoy
-
- Grant
-
- Grant
https://www.rubygems-openpgp-ca.org/ Sign your gems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQEcBAEBAgAGBQJRRuWFAAoJEP5F5V2hilTW3okH/juYflRSM7oBV+PI1ltk8N9w
wNtQxv94oApLGmo0nvVYLJzoJzRkiLYsbgCQPE938ZfhMqWlrAxXue95qlw52KrS
irr7ikyoq6fgGlHIwI5jWU04cEArDdHk77gBufJk6ZJ9fEOQ7Tr0M72pIJAotqmU
d1D/mlN6ryKtgmtZo3exyCwngyFJpkXTdhIY1iQ0C/iLWzAXNq88gAWvjrSf5xkt
QORJKQqNY6vl3QXKFs95oCYpIZ4xn0rWhLWEu8qJmnhvM+YR3ujsKmPC+/SzFLYE
JsrUhr4fIzmBIDql4FWl4xnb2GWs+KUM3+ABRPtxfMij4B5lF6Vjh/7FF+82HwA=
=o8yF
-----END PGP SIGNATURE-----