Forum: Ruby rubygems-openpgp 0.5.0 released - Now with key continuity checks.

C24646fadce91fe3b868a99b386f386e?d=identicon&s=25 Grant Olson (Guest)
on 2013-03-10 15:46
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

rubygems-openpgp 0.5.0 Released
===============================

rubygems-openpgp is a rubygems plugin that allows you to sign and
verify your gems with OpenPGP.

Verifying is as simple as:

    gem install openpgp_signed_hola --verify --trust

Signing is as simple as:

    gem build foo.gemspec --sign

Now with ssh-style Key Continuity Checks!
- -----------------------------------------

rubygems-openpgp now tracks the keys used to sign your gems and will
error out if the signing key for a given gem has changed.  This works
the same way ssh does when you connect to a host where the key has
changed.

You can then investigate, and assuming the key change is valid, you
can remove the appropriate entry in ~/.rubygems-openpgp/known_gems to
allow installation to complete.

Other Minor Improvements
- ------------------------

* Gem name is shown before verification status.  Previously it was
  confusing to see multiple verification messages when gem
  dependencies were verified.

* Generic gpg code was extracted into the gpg_status_parser gem for
  easier re-use.

* Signing/verifying now skips X.509 signatures if they exist.  We only
  sign/verify the real payload.

* Minor improvements for Windows users.  We don't output invalid
  unix-style color codes on windows, or print stuff like '~/path' that
  doesn't make sense on windows.

Learn More at the rubygems-openpgp Certificate Authority
- --------------------------------------------------------

Several guides, walkthroughs, and documents explaining my motivations
are available at the [rubygems-openpgp Certificate
Authority](http://www.rubygems-openpgp-ca.org).

Note that use of the Certificate Authority itself is entirely
optional; users of rubygems-openpgp can apply whatever trust model
they wish when verifying gems.

Verifying Your Initial Install
- ------------------------------

Existing users of rubygems-openpgp can verify the install with
rubygems-openpgp itself:

    gem install rubygems-openpgp --verify --trust

It is recommended that new users fetch the gem and verify it against a
detached signature.  Instructions on how to do so can be found at the
[Guide to Verifying Your Initial Install](http://bit.ly/13NxsNI).

### Detached signature for the 0.5.0 release

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJRPJY3AAoJEP5F5V2hilTWVj8H/2R3Ue+4lJxbpZwu/cOodlWb
ApflZwrhOnGHjxswL7cV7Rf15sPP9WHUvNf/n8Cuc4hHKArW7/wwdw1LP4wmrRz4
8RxKx8kR7An9JFvs9HhrDt1BvS/j9moaKn//lZfZV7LPIEEuHEUTCNCtHkuV/oBG
LH9tNSMs1CO1D1kkPyxc2aXZm0mRpygWrS1YskJPy7xdR2aNQk4LHJNF168m+XJH
2l8U29QgoCpD0W4iL+6ooyY2lyVFWYhQbBd7ojVRG16Q8CxUf4+ZNey+3tgchVEP
qBFa4M/+m2LoVdCGPOL8meFMytDR75J4VGWtGmRxjfhBeOeNVhneIQT5C6fHCfw=
=Qxhv
- -----END PGP SIGNATURE-----

Enjoy
- -----

- - Grant
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJRPJyJAAoJEP5F5V2hilTWdAIH/0ilwAgccGbRPlchLXhdyWg4
FN3kUL0S6dIQiSPyhk/AooB5fIEuG3jyKW8XMzx6RoBbnt/2j7ACrvcus7hCW3AM
sjO/Q4RJyR8qY9oceyKl64wTHA5wssmfUn7brVJp9L8vehXAYfeFjcJTmXbh7FBO
RyowFLq87ByCrrLj+VGro9AkMfoV84B26Td8XDoVDEkRehQw9b9eZu3CNEkqUl/o
8BPdZhCosj4peSB0H77kw6SwDBenGEwQ8R+EVBo1NmsydsdsKUGrk0WyduMyhT8I
VTeX574eh1/TGwnkCX7eQcGlQc1fbTSaPLPS52CcUl5Bwfh5Dwnx7PUjIIGsPyw=
=zhHZ
-----END PGP SIGNATURE-----
C24646fadce91fe3b868a99b386f386e?d=identicon&s=25 Grant Olson (Guest)
on 2013-03-10 19:01
(Received via mailing list)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/10/2013 10:45 AM, Grant Olson wrote:
> rubygems-openpgp 0.5.0 Released ===============================

And... 0.5.1 wasn't far behind.

I just did a release to fix a minor issue where a Windows user
couldn't re-sign a gem generated on a linux box.  This should not
affect most users, however you will need to use a new detached
signature to verify the initial install:

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJRPMTkAAoJEP5F5V2hilTWuBMH/30hvYMpCP6dawq6LwufKTgB
w+hsiII3nRshCo6yicYs8kBsT/7oSc7XZg1q3oHXQgJdal/eLBdVEOXdZ8a7zKPh
SjvuHRSBpei3wA1DjPAvJxqjdGOX883rzDLRtP+pvyzazeO6Fj/8d/c8Y6YArEf5
gwWdaA2s0XXdecH21yWMZPKD3x2YQEARCJJWhyngt+FW5ZHlaAwXPkhpAptzchEe
MC8ThY4WZIPRc3+O9II93wGcNJu3T0sOg5NUzgT6vNLzCOtNLNe/hpD/QWUt/5za
RbwqxGcP0QyNDEZQTVpLTBiiq++qyGRUb7cySTDVBqgwasal19VmVsflhTCbBt0=
=mU3L
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJRPMogAAoJEP5F5V2hilTWkjIH/2pU77IW3Qj94e7JXPsYZDIh
xMviYfHEZnKHYhet8Zv09DMcKZJ1oSQkv6q/vJ9c3OTE+rdh+mdLh3eQm+UUEs6r
Q7hxMdeVkZfL7PleFapqpVtsXz+239RgGl9pTcyvowpNqrXBhHbN1hnuiO2zXsF4
zlPXJP9BMJp0vpTDZ4BT6b6P0LSLdNcKso82qA7FwEfgVugw+PP/ktpcYsYEjI8f
hjloROfTAITquUK+NDEp1gzDHocfTPNEzkK8RHKWaEnT/0bDfPPDDjihDlxiw/+B
6PBZAxIf8cjP2/8iSVwzWFHkTiEsBUnJfNV/G6sNxNN1ayQcaYOjdaxsuZCaNYg=
=4rOl
-----END PGP SIGNATURE-----
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.