[Rubygems-developers] [PATCH] Add Gem Signing Support to RubyGems
Marcel Molina Jr.
marcel at vernix.org
Wed Apr 27 11:07:38 EDT 2005
On Tue, Apr 26, 2005 at 04:22:26PM -0400, Paul Duncan wrote:
> Hi Everyone,
> Attached is a patch against RubyGems 0.8.10 that adds cryptographic
> signature support to Ruby Gems via OpenSSL. Attached to this email
> (and included in the patch under doc/) is some fairly detailed and
> (hopefully) straightforward documentation explaining how to adjust your
> security policy, create a gem signing certificate, and sign your own
> These changes should be backwards compatible (ie, signed gems will work
> properly in older versions of Ruby Gems).
> The patch (and PGP signature) are also available online at the following
> PS. I let Chad know that this patch was coming a couple weeks ago, so if
> it doesn't apply clean for any reason, he's the one to throw rocks at,
> not me! :)
Wow. This is really, *really* awesome. Thanks so much. The docs themselves
are worth the price of admission.
>From the Bugs/TODO section:
* right now I'm using ENV['HOME'] + '.rubygems/trust' for the trusted
cert list. this has a couple of problems: it won't work in windows,
and there's no way to define a system-wide trust list.
The code base provides Gem#find_home, which seems to do a pretty good job of
being platform agnostic.
Reminder: Your great work is really appreciated.
Marcel Molina Jr. <marcel at vernix.org>
More information about the Rubygems-developers