Closed rochlefebvre closed 2 years ago
Today, we can sign any random file. The verification retrieves and verifies the signature, but blows up when trying to open the gemspec.
➜ ruby-sigstore git:(add_rubocop) ✗ gem verify Rakefile Verifying /Users/rochlefebvre/src/github.com/Shopify/ruby-sigstore/Rakefile No valid signatures found for digest 098db0a032b4929f8d8b25bb176cecfe39e2f4bbfe9838c5ecb117c3ff9d7600 ➜ ruby-sigstore git:(add_rubocop) ✗ gem sign Rakefile Fulcio certificate chain -----BEGIN CERTIFICATE----- MIIDeDCCAv2gAwIBAgIUAMMu7NgFjIqCm5LQ9pMAjN1Cd40wCgYIKoZIzj0EAwMw KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y MTExMjMyMDA5NDBaFw0yMTExMjMyMDI5MzlaMAAwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDWdtWhx05iY8LWQ4CARxTtVL1J39wB9MdivTwS4lUJrpV9 SI3EvQLC95xVg2OEoKHJta9Fs/Wm09YbaD9HdDdqTfWgYGHFwd9mtwkK6erLk8Fn Ay8L5ker01aPOhHIuW6RlRp6eRUeF0AMcte8haTtkjXLz3kJP3/FBjQ19+tuVkmV XIN+jwFdj63MFnRf1/7v8hCVaO1HUqPjZhM96QNbgw6JZmnKpKmVaO5FlQbDWdHM 2gQR+XyCZ6KQExJL/AyTAD1TeE76J0Q7cBYThS/HphVQfdhlqMa27XjYUA4xqyPL c+PasURbzJZdOYaWUwy5CuAJwqmDthzLLZqtFyErAgMBAAGjggFeMIIBWjAOBgNV HQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUEosT60JqnbhKtfYmighOYvlPqVkwHwYDVR0jBBgwFoAUyMUdAEGa JCkyUSTrDa5K7UoG0+wwgY0GCCsGAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0 dHA6Ly9wcml2YXRlY2EtY29udGVudC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1m NGY1ZTgwZDI5NTQuc3RvcmFnZS5nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJi OWZjYjE0Ni9jYS5jcnQwJwYDVR0RAQH/BB0wG4EZcm9jaC5sZWZlYnZyZUBzaG9w aWZ5LmNvbTAsBgorBgEEAYO/MAEBBB5odHRwczovL2dpdGh1Yi5jb20vbG9naW4v b2F1dGgwCgYIKoZIzj0EAwMDaQAwZgIxAN1G1JrvQ6Sxmv0BdyebMQ31BQARgOve 8n0WciVUNPqGC5Np0TVZsdT/p/R4g2HahAIxAP6NTZJKc/cETQqR9t/QL//ilewV 9CE3liv/FEI86fqQ5Di+xpauRkPIHVbuAqtV7g== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ== -----END CERTIFICATE----- Sending gem digest, signature & certificate chain to transparency log. https://rekor.sigstore.dev/api/v1/log/entries/f9e7a00793d259e4b29517bc5fc7d059e241664f9f3c118c3abcb53e3197faa6 ➜ ruby-sigstore git:(add_rubocop) ✗ gem verify Rakefile Verifying /Users/rochlefebvre/src/github.com/Shopify/ruby-sigstore/Rakefile :noice: ERROR: While executing gem ... (ArgumentError) "se\");\n#" is not an octal string
We should be checking our arguments for gem-iness and error gracefully unless they are supported file types. Note that gem install --verify-signatures and gem build --sign probably check for us already.
gem install --verify-signatures
gem build --sign
Today, we can sign any random file. The verification retrieves and verifies the signature, but blows up when trying to open the gemspec.
We should be checking our arguments for gem-iness and error gracefully unless they are supported file types. Note that
gem install --verify-signaturesandgem build --signprobably check for us already.