Hi Matt, Yes, this is a good idea. I can do the SHA1 for this release and start signing the gem with the next release.
-Justin On 2013-10-28 11:52, Matt Glover (Mandiant) wrote: > In case I missed it does the brakeman project cryptographically sign > or otherwise provide verification information for releases currently? > > If not, would the brakeman team consider signing their releases in > some fashion? Without trying to tackle the larger gem signing issues > in the Ruby community a few approaches I have seen in the wild > include: > > * Signing the gem with the current "gem cert" family of commands > and publishing the key with the repo or on a site/blog related to the > project > * Including a GPG signed release announcement with gem hashes like > they do with Rack releases: > https://groups.google.com/d/msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ > [1] > * Providing hashes of updated gems on the gem's main site like they > do with Rails releases: > http://weblog.rubyonrails.org/2013/10/17/Rails-4-0-1-rc1-has-been-released/ > [2] > > Obviously each approach has some set of weaknesses associated with it > but I would certainly find it useful to apply another sanity check > when pulling down an updated version of brakeman. > > Links: > ------ > [1] > https://groups.google.com/d/msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ > [2] > http://weblog.rubyonrails.org/2013/10/17/Rails-4-0-1-rc1-has-been-released/
