rubygems-openpgp

Software Assurance

To assure the validity of any software package, you need to:

• Verify that the package has not been corrupted or maliciously tampered with by verifying the file's checksum.

• Verify that the checksum has not been tampered with by validating a digital signature of that checksum.

• Verify that the digital signature was produced by the package's publisher by authenticating the public key that was used to generate the digital signature.

If you can't do this, you can't verify the integrity of the package.

This gem allows cryptographic signing of ruby gems with OpenPGP instead of the current built-in signing method involving X.509.

Read more about why we should use OpenPGP. Here's the slides and video from a lightning talk I did at Pittsburgh.rb.

Prerequisites

A working installation of gpg.

An OpenPGP private key is required to sign gems, but not to verify.

Getting started with gpg.

Signing example

gem build openpgp_signed_hola.gemspec --sign
gem push openpgp_signed_hola-0.0.0.gem

Verification Example

A test gem openpgp_signed_hola is on rubygems.org. To try out this extension:

gem install openpgp_signed_hola-0.0.0.gem --trust --get-key

But That Just Failed!

You probably don't trust my public key. More information is available at The Complete Guide to Verifying Gems with rubygems-openpgp

The More You Know!

A detailed walkthrough of verifiction is available at The Complete Guide to Verifying Gems with rubygems-openpgp

Verifying your initial install

You can verify your initial install with a detached signature. Here's how.