NOTE: The CA component project has been deprecated due to lack of use. The signing plugin rubygems-openpgp is still actively maintained and can be used to sign gems with OpenPGP if you wish.
The goal of this project is to provide:
Step one is the most important part. If we can get developers and users to sign and verify gems, there are a multitude of authentication methods that can be modeled on top of the core. This can be done independently by any third party, and end users can decide what authentication systems they do and don't trust.
After installation and configuration, you simply add the
flag when installing your gems.
gem install openpgp_signed_hola --trust
If the gem can be verified, it will be installed. If not, you will get an error message. Learn more at The Complete Guide to Verifying Gems .
After installation and configuration, you simply
your gems before pushing to rubygems.org.
gem build foo.gemspec --sign gem push foo-0.0.0.gem
The Complete Guide to Verifying Gems covers installation of the client software and verifying a single developer's test gem.
The Complete Guide to Signing the Certificate Authority Keys shows you how to install the Certificate Authority keys so that you don't need to verify developer's keys individually.
Learn more at The Complete Guide to Signing Your Gem .