Signing the gem with a PGP key

Eric Wong normalperson at
Mon Mar 11 22:48:12 UTC 2013

Hongli Lai <hongli at> wrote:
> After the recent hack it became clear that somethings
> needs to be done about authenticating gems. One of the efforts that
> was launched is We at Phusion
> have just finished signing all our gems and repositories with our PGP
> key, and our PGP key has been verified and signed by this CA.
> It would be great if Unicorn can participate as well by signing future
> releases. If you already use GnuPG then the process is extremely
> straightforward.

Can we designate gems be signed by a trusted third party (e.g. you?)
That's how Debian (and presumably other OS distros work).

_Nobody_ should trust me.  I have and maintain zero credibility.
The only credibility any unicorn has is what its users give it.

More information about the mongrel-unicorn mailing list