Hi Matt,
Yes, this is a good idea. I can do the SHA1 for this release and start
signing the gem with the next release.
-Justin
On 2013-10-28 11:52, Matt Glover (Mandiant) wrote:
> In case I missed it does the brakeman project cryptographically sign
> or otherwise provide verification information for releases currently?
>
> If not, would the brakeman team consider signing their releases in
> some fashion? Without trying to tackle the larger gem signing issues
> in the Ruby community a few approaches I have seen in the wild
> include:
>
> * Signing the gem with the current "gem cert" family of commands
> and publishing the key with the repo or on a site/blog related to the
> project
> * Including a GPG signed release announcement with gem hashes like
> they do with Rack releases:
> https://groups.google.com/d/msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
> [1]
> * Providing hashes of updated gems on the gem's main site like they
> do with Rails releases:
> http://weblog.rubyonrails.org/2013/10/17/Rails-4-0-1-rc1-has-been-released/
> [2]
>
> Obviously each approach has some set of weaknesses associated with it
> but I would certainly find it useful to apply another sanity check
> when pulling down an updated version of brakeman.
>
> Links:
> --
> [1]
> https://groups.google.com/d/msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
> [2]
> http://weblog.rubyonrails.org/2013/10/17/Rails-4-0-1-rc1-has-been-released/
