Signing a gem package


#1

Hello,

I would like to sign my gem package that I am going to distribute soon.
My question is, why people will trust my certificate?
How can I make my certificate trusty to people? ofcourse, without
spending any money !!

Thanks,
Mohammad


#2
  • Mohammad K. (removed_email_address@domain.invalid) wrote:

Hello,

I would like to sign my gem package that I am going to distribute soon.
My question is, why people will trust my certificate?
How can I make my certificate trusty to people? ofcourse, without
spending any money !!

I had hoped some sort of Rubygems public key infrastructure (PKI) would
materialize (I talk about that a little in the gem signing
documentation,
and suggested a hypothetical geographic system).

Since this One True RubyGems PKI ™ hasn’t materialized, you could
include a PGP fingerprint (or public key) in the gem itself, sign the
root issuing certificate (if there’s only one certificate involved,
then it’s self-signed, and it is the root certificate) with the PGP key,
post the signature online, and distribute your PGP public key via PGP
keyservers.

Obviously that doesn’t really mitigate the trust issue; a PGP-signed
signature of an X509 certificate really only verifies that the PGP
signer is vouching for the X509 certificate in question. It doesn’t
provide any indication that the PGP signer or the certificate owner is
who they say they are, is you think they are, or (most importantly)
whether you can trust either.

Unlike traditional X509-based PKI (the trust model used in Rubygems),
PGP has a distributed trust model (versus the hierarchical X509 model),
and a established decentralized key distribution infrastructure (versus
X509, which is almost always centralized).

The advantage to this method is that you’re leveraging the PGP’s
distributed trust PGP model for X509 certificate distribution, and the
RubyGems gem signing for simplicity (eg, once users have the X509
certificate/X509 certificate chain loaded in to rubygems, they don’t
have to hand-verify each gem released by you any more).

Ultimately, trust is client-side issue. Your certificate may be signed,
verified, validated, and trusted up the wazoo, and end users still might
not trust it, for whatever reason.

Hope that helps, and sorry about the long-winded response!