rubygems-openpgp

Information for gem users and gem developers is slowly and surely migrating to the rubygems-openpgp Certificate Authority. You probably want to go there unless you're interested in working on the plugin itself.

Software Assurance

To assure the validity of any software package, you need to:

  • Verify that the package has not been corrupted or maliciously tampered with by verifying the file's checksum.

  • Verify that the checksum has not been tampered with by validating a digital signature of that checksum.

  • Verify that the digital signature was produced by the package's publisher by authenticating the public key that was used to generate the digital signature.

If you can't do this, you can't verify the integrity of the package.

This gem allows cryptographic signing of ruby gems with OpenPGP instead of the current built-in signing method involving X.509.

Read more about why we should use OpenPGP. Here's the slides and video from a lightning talk I did at Pittsburgh.rb.

Prerequisites

A working installation of gpg.

An OpenPGP private key is required to sign gems, but not to verify.

Getting started with gpg.

Signing example

gem build openpgp_signed_hola.gemspec --sign
gem push opnepgp_signed_hola-0.0.0.gem

Verification Example

A detailed walkthrough of verifiction is available at The Complete Guide to Verifying Gems with rubygems-openpgp

TLDR?

A test gem openpgp_signed_hola is on rubygems.org. To try out this extension:

gem install openpgp_signed_hola-0.0.0.gem --trust --get-key

But That Just Failed!

You probably don't trust my public key. More information is available at The Complete Guide to Verifying Gems with rubygems-openpgp

Verifying your initial install

You can verify your initial install with a detached signature. Here's how.