[Rubygems-developers] [PATCH] Add Gem Signing Support to RubyGems

Marcel Molina Jr. marcel at vernix.org
Wed Apr 27 11:07:38 EDT 2005

On Tue, Apr 26, 2005 at 04:22:26PM -0400, Paul Duncan wrote:
> Hi Everyone,
> Attached is a patch against RubyGems 0.8.10 that adds cryptographic
> signature support to Ruby Gems via OpenSSL.  Attached to this email
> (and included in the patch under doc/) is some fairly detailed and
> (hopefully) straightforward documentation explaining how to adjust your
> security policy, create a gem signing certificate, and sign your own
> gems.
> These changes should be backwards compatible (ie, signed gems will work
> properly in older versions of Ruby Gems).
> The patch (and PGP signature) are also available online at the following
> URLs:
>   http://pablotron.org/files/rubygems-0.8.10-sign.diff.gz
>   http://pablotron.org/files/rubygems-0.8.10-sign.diff.gz.asc
> PS. I let Chad know that this patch was coming a couple weeks ago, so if
> it doesn't apply clean for any reason, he's the one to throw rocks at,
> not me! :)

Wow. This is really, *really* awesome. Thanks so much. The docs themselves
are worth the price of admission. 

>From the Bugs/TODO section:
  * right now I'm using ENV['HOME'] + '.rubygems/trust' for the trusted
    cert list.  this has a couple of problems: it won't work in windows,
    and there's no way to define a system-wide trust list.

The code base provides Gem#find_home, which seems to do a pretty good job of
being platform agnostic. 

Reminder: Your great work is really appreciated.
Marcel Molina Jr. <marcel at vernix.org>

More information about the Rubygems-developers mailing list