To assure the validity of any software package, you need to:
-
Verify that the package has not been corrupted or maliciously tampered with by verifying the file's checksum.
-
Verify that the checksum has not been tampered with by validating a digital signature of that checksum.
-
Verify that the digital signature was produced by the package's publisher by authenticating the public key that was used to generate the digital signature.
If you can't do this, you can't verify the integrity of the package.
This gem allows cryptographic signing of ruby gems with OpenPGP instead of the current built-in signing method involving X.509.
Read more about why we should use OpenPGP. Here's the slides and video from a lightning talk I did at Pittsburgh.rb.
A working installation of gpg.
An OpenPGP private key is required to sign gems, but not to verify.
gem build openpgp_signed_hola.gemspec --sign
gem push openpgp_signed_hola-0.0.0.gem
A test gem openpgp_signed_hola is on rubygems.org. To try out this extension:
gem install openpgp_signed_hola-0.0.0.gem --trust --get-key
You probably don't trust my public key. More information is available at The Complete Guide to Verifying Gems with rubygems-openpgp
A detailed walkthrough of verifiction is available at The Complete Guide to Verifying Gems with rubygems-openpgp
You can verify your initial install with a detached signature. Here's how.