Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand gem security build/install instructions; add checksum #70

Merged
merged 7 commits into from
Nov 21, 2013
Merged

Expand gem security build/install instructions; add checksum #70

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e9dcef6
Expand gem security build/install instructions; add checksum
bf4 Nov 21, 2013
dae8880
Add rubygems-openpgp video/slides by @grant-olsen, working link
bf4 Nov 21, 2013
d2e08a0
Recommend against signing gems with rubygems-openpgp
bf4 Nov 21, 2013
90f453f
Highlight gem checksum before the not-recommended openpgp
bf4 Nov 21, 2013
2fe098c
Add caveat to using gem cert signed gems
bf4 Nov 21, 2013
df1aee3
Remove most OpenPGP discussion per @grant-olson @yorickpeterse
bf4 Nov 21, 2013
bb47d31
Synch general security content with the details that follow
bf4 Nov 21, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Highlight gem checksum before the not-recommended openpgp
  • Loading branch information
@bf4
bf4 committed Nov 21, 2013
commit 90f453f3a383f8bd457213027f43a1287cce61b8
38 changes: 19 additions & 19 deletions security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,25 @@ Add cert paths to your gemspec

-------

### Include checksum of released gems in your repository

For example, see the [ruby-lint gem](https://github.com/YorickPeterse/ruby-lint/blob/0858d8f841f604398f40ba3a40777d68c03a543b/task/checksum.rake).

To build:

require 'digest/sha2'
gem_path = 'pkg/ruby-lint-0.9.1.gem'
checksum = Digest::SHA512.new.hexdigest(File.read(gem_path))
checksum_path = 'checksum/ruby-lint-0.9.1.gem.sha512'
File.open(checksum_path, 'w' ) {|f| f.write(checksum) }

To verify:

gem fetch ruby-lint -v 0.9.1
ruby -rdigest/sha2 -e "puts Digest::SHA512.new.hexdigest(File.read('ruby-lint-0.9.1.gem'))

-------

### Not Recommended: [Rubygems OpenPGP signing](https://web.archive.org/web/20130914152133/http:https://www.rubygems-openpgp-ca.org/), [gem](https://github.com/grant-olson/rubygems-openpgp)
About: [Video](https://vimeo.com/59297058), [Slides](https://docs.google.com/a/grant-olson.net/viewer?a=v&pid=sites&srcid=Z3JhbnQtb2xzb24ubmV0fGdyYW50LXMtc3R1ZmZ8Z3g6MTg5MWZkNjU3ZGEyZDY5Yg)

Expand All @@ -126,25 +145,6 @@ To [install](https://github.com/grant-olson/stackdriver-ruby/blob/505d928/README
$ gpg --lsign 3649F444 # Trust this key. You verified it yourself, right?
$ gem install ruby-lint --trust # Trust includes verification

------

### Alternative: Include checksum of released gems in your repository

For example, see the [ruby-lint gem](https://github.com/YorickPeterse/ruby-lint/blob/0858d8f841f604398f40ba3a40777d68c03a543b/task/checksum.rake).

To build:

require 'digest/sha2'
gem_path = 'pkg/ruby-lint-0.9.1.gem'
checksum = Digest::SHA512.new.hexdigest(File.read(gem_path))
checksum_path = 'checksum/ruby-lint-0.9.1.gem.sha512'
File.open(checksum_path, 'w' ) {|f| f.write(checksum) }

To verify:

gem fetch ruby-lint -v 0.9.1
ruby -rdigest/sha2 -e "puts Digest::SHA512.new.hexdigest(File.read('ruby-lint-0.9.1.gem'))

Credits
-------

Expand Down