Closed postmodern closed 11 years ago
I would like to do that, and previously investigated the possibility, but this can't be done without actually forking rubygems itself.
Actually on a very basic level this is possible:
diff --git a/lib/rubygems_plugin.rb b/lib/rubygems_plugin.rb
index 8e841e5..54866b2 100644
--- a/lib/rubygems_plugin.rb
+++ b/lib/rubygems_plugin.rb
@@ -1,6 +1,13 @@
require 'rubygems/command_manager'
+require 'rubygems/gem_openpgp'
Gem::CommandManager.instance.register_command :sign
Gem::CommandManager.instance.register_command :verify
#Gem::CommandManager.instance.register_command :vinstall
#Gem::CommandManager.instance.register_command :sbuild
+
+Gem.post_install do |installer|
+ output = Gem::OpenPGP.verify_gem(installer.gem)
+
+ installer.say output.join("\n")
+end
If this actually turns out to work completely this could be a really nice addition.
Example of what it looks like with auto verification (I enjoy Showterm way too much): http://showterm.io/8e3b1c816fad85c3ced35
Is it possible to also hook gem building, so everything is auto-signed?
This should be possible using Gem.post_build
. I'll see if I can add this somehow as well.
On second thought, how exactly would you hook this in? Using the above hook would mean that every Gem you ever build will be signed by your credentials and I'm not sure if that's something people would want to happen.
Ah right. I guess an option needs to be specified. Trying to think of the least intrusive way to support gem signing in rubygems-tasks.
I will consider creating rubygems-tasks-pgp which might override the build:gem
task and either use Gem::OpenPGP
, shell out or use some gpgme library.
You can now specify --verify in the gem install
command. This can be added to ~/.gemrc if you want it to be default behavior.
Is it possible to override the install process, and verify gems that contain
.asc
files?