On Jun 3, 2011, at 8:16 PM, Grant Olson wrote: > On 6/3/2011 9:43 PM, Eric Hodel wrote: >> On May 26, 2011, at 5:26 PM, Grant Olson wrote: >> >>> 3) Is there interest in a simulated CA at a site like rubygems, as >>> described in the original post? >> >> Yes >> >> We could do something lazier too, IIRC `gem push` uses SSL to upload the >> gem, so rubygems.org could simply sign any gems with its own cert. No need >> for a CA or any of that stuff. (This proposal is overly simplistic >> currently). > > Do you mean your proposal or mine is simplistic?
My proposal is overly simplistic due to all your comments below. (Perhaps you also suggested this but I skimmed it to quickly.) > It actually would be nice if rubygems signed the gem on push, if it > somehow verified the gem's authenticity when it was uploaded, above and > beyond the username/password check. There could be two different certs rubygems.org signs with, one for "enhanced" verification and one for only username/password verification. > From my perspective, that would still introduce some problems: > > Does rubygems.org deliver the certificate through a new remote API call, > or does it embed the sig in the uploaded gem? Either API change seems > problematic, and would require integration with rubygems (the gem) as > well. Signing a user's certificate could happen without modifiying the > core rubygems.org distribution system as it exists now. The easy way is to not use user certificates at all and just create a rubygems.org key for signing gems. The key's certificate would ship with RubyGems and any uploaded gem that didn't have a signature would be repackaged with a signature from the RubyGems key. > Anyway, I did create a gem called rubygems-openpgp that allows you to > sign and verify gems. I'm planning to add functionality to make signing > and building a single command. > > I'd like to make verifying and installing a single command, but it > doesn't look like there will be an easy way for me to hook into the > system between the fetch and install phases. It also looks problematic > to hook into any gem dependencies that automatically get downloaded, so > that they are verified as well. There are three hooks, pre_install, post_build and post_install. pre_install and post_build are both able to cancel an install by returning false. There's also a post_installs hook in master. Gems get installed in reverse dependency order, so you should be able to keep state in a separate class across installs to ensure everything is verified. _______________________________________________ Rubygems-developers mailing list http://rubyforge.org/projects/rubygems Rubygems-developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
