Initial TUF integration with RubyGems

Tony Arcieri bascule at gmail.com
Wed Nov 20 19:28:38 UTC 2013


One thing to note is we're using RSASSA PKCS#1 v1.5 with SHA-512 for
digital signatures:

https://github.com/square/rubygems/blob/tuf/lib/rubygems/tuf/signer.rb#L25

Ruby doesn't support RSASSA-PSS. I don't think this is problematic though:
there aren't known attacks on PKCS#1 v1.5 for digital signatures, and the
scheme is deterministic which is arguably desirable.


On Wed, Nov 20, 2013 at 11:04 AM, Tony Arcieri <bascule at gmail.com> wrote:

> Hi there! The team here at Square has some code for you to look at if
> you'd like to perform some initial review.
>
> We're committing to the "tuf" branch on the Square fork of RubyGems and
> RubyGems.org:
>
> https://github.com/square/rubygems/commits/tuf
> https://github.com/square/rubygems.org/commits/tuf
>
> So far the server contains the main code spike, including the code
> necessary to generate TUF metadata and download and verify a gem.
>
> You can find the client here:
>
>
> https://github.com/square/rubygems.org/blob/tuf/script/fetch-me-a-gem-with-tuf
>
> We'll be moving this code into the RubyGems client, which is a bit tricky
> as we can only depend on the standard library and still need to work on
> ancient versions of Ruby that don't even ship a JSON parser.
>
> --
> Tony Arcieri
>



-- 
Tony Arcieri


More information about the RubyGems-Developers mailing list