Forum: Ruby signing a gem package

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
8c786b59665b31d9e43da6c5e6315a4d?d=identicon&s=25 Mohammad Khan (Guest)
on 2005-12-21 17:56
(Received via mailing list)
Hello,

I would like to sign my gem package that I am going to distribute soon.
My question is, why people will trust my certificate?
How can I make my certificate trusty to people? ofcourse, without
spending any money !!


Thanks,
Mohammad
Ff260830c27224f0e15f37362a6256d0?d=identicon&s=25 Paul Duncan (Guest)
on 2005-12-21 20:24
(Received via mailing list)
* Mohammad Khan (beeplove@gmail.com) wrote:
> Hello,
>
> I would like to sign my gem package that I am going to distribute soon.
> My question is, why people will trust my certificate?
> How can I make my certificate trusty to people? ofcourse, without
> spending any money !!

I had hoped some sort of Rubygems public key infrastructure (PKI) would
materialize (I talk about that a little in the gem signing
documentation,
and suggested a hypothetical geographic system).

Since this One True RubyGems PKI (tm) hasn't materialized, you could
include a PGP fingerprint (or public key) in the gem itself, sign the
root issuing certificate (if there's only one certificate involved,
then it's self-signed, and it is the root certificate) with the PGP key,
post the signature online, and distribute your PGP public key via PGP
keyservers.

Obviously that doesn't really mitigate the trust issue; a PGP-signed
signature of an X509 certificate really only verifies that the PGP
signer is vouching for the X509 certificate in question.  It doesn't
provide any indication that the PGP signer or the certificate owner is
who they say they are, is you think they are, or (most importantly)
whether you can trust either.

Unlike traditional X509-based PKI (the trust model used in Rubygems),
PGP has a distributed trust model (versus the hierarchical X509 model),
and a established decentralized key distribution infrastructure (versus
X509, which is almost always centralized).

The advantage to this method is that you're leveraging the PGP's
distributed trust PGP model for X509 certificate distribution, and the
RubyGems gem signing for simplicity (eg, once users have the X509
certificate/X509 certificate chain  loaded in to rubygems, they don't
have to hand-verify each gem released by you any more).

Ultimately, trust is client-side issue.  Your certificate may be signed,
verified, validated, and trusted up the wazoo, and end users still might
not trust it, for whatever reason.

Hope that helps, and sorry about the long-winded response!
This topic is locked and can not be replied to.