Initial TUF integration with RubyGems
bascule at gmail.com
Wed Nov 20 19:28:38 UTC 2013
One thing to note is we're using RSASSA PKCS#1 v1.5 with SHA-512 for
Ruby doesn't support RSASSA-PSS. I don't think this is problematic though:
there aren't known attacks on PKCS#1 v1.5 for digital signatures, and the
scheme is deterministic which is arguably desirable.
On Wed, Nov 20, 2013 at 11:04 AM, Tony Arcieri <bascule at gmail.com> wrote:
> Hi there! The team here at Square has some code for you to look at if
> you'd like to perform some initial review.
> We're committing to the "tuf" branch on the Square fork of RubyGems and
> So far the server contains the main code spike, including the code
> necessary to generate TUF metadata and download and verify a gem.
> You can find the client here:
> We'll be moving this code into the RubyGems client, which is a bit tricky
> as we can only depend on the standard library and still need to work on
> ancient versions of Ruby that don't even ship a JSON parser.
> Tony Arcieri
More information about the RubyGems-Developers