One thing to note is we're using RSASSA PKCS#1 v1.5 with SHA-512 for digital signatures:
https://github.com/square/rubygems/blob/tuf/lib/rubygems/tuf/signer.rb#L25 Ruby doesn't support RSASSA-PSS. I don't think this is problematic though: there aren't known attacks on PKCS#1 v1.5 for digital signatures, and the scheme is deterministic which is arguably desirable. On Wed, Nov 20, 2013 at 11:04 AM, Tony Arcieri <basc...@gmail.com> wrote: > Hi there! The team here at Square has some code for you to look at if > you'd like to perform some initial review. > > We're committing to the "tuf" branch on the Square fork of RubyGems and > RubyGems.org: > > https://github.com/square/rubygems/commits/tuf > https://github.com/square/rubygems.org/commits/tuf > > So far the server contains the main code spike, including the code > necessary to generate TUF metadata and download and verify a gem. > > You can find the client here: > > > https://github.com/square/rubygems.org/blob/tuf/script/fetch-me-a-gem-with-tuf > > We'll be moving this code into the RubyGems client, which is a bit tricky > as we can only depend on the standard library and still need to work on > ancient versions of Ruby that don't even ship a JSON parser. > > -- > Tony Arcieri > -- Tony Arcieri _______________________________________________ RubyGems-Developers mailing list http://rubyforge.org/projects/rubygems RubyGems-Developers@rubyforge.org http://rubyforge.org/mailman/listinfo/rubygems-developers
