search

grant-olson / rubygems-openpgp

This allows you to cryptographically sign ruby gems, so that a user can later verify that they've downloaded a copy that hasn't been tampered with or hacked.
http://www.rubygems-openpgp-ca.org
Other
32 stars 4 forks source link

Support automatic verification #6

Closed postmodern closed 11 years ago

postmodern commented 11 years ago

Is it possible to override the install process, and verify gems that contain .asc files?

grant-olson commented 11 years ago

I would like to do that, and previously investigated the possibility, but this can't be done without actually forking rubygems itself.

yorickpeterse commented 11 years ago

Actually on a very basic level this is possible:

diff --git a/lib/rubygems_plugin.rb b/lib/rubygems_plugin.rb
index 8e841e5..54866b2 100644                               
--- a/lib/rubygems_plugin.rb                                
+++ b/lib/rubygems_plugin.rb                                
@@ -1,6 +1,13 @@                                            
 require 'rubygems/command_manager'                         
+require 'rubygems/gem_openpgp'                             

 Gem::CommandManager.instance.register_command :sign        
 Gem::CommandManager.instance.register_command :verify      
 #Gem::CommandManager.instance.register_command :vinstall   
 #Gem::CommandManager.instance.register_command :sbuild     
+                                                           
+Gem.post_install do |installer|                            
+  output = Gem::OpenPGP.verify_gem(installer.gem)          
+                                                           
+  installer.say output.join("\n")                          
+end

If this actually turns out to work completely this could be a really nice addition.

yorickpeterse commented 11 years ago

Example of what it looks like with auto verification (I enjoy Showterm way too much): http://showterm.io/8e3b1c816fad85c3ced35

postmodern commented 11 years ago

Is it possible to also hook gem building, so everything is auto-signed?

yorickpeterse commented 11 years ago

This should be possible using Gem.post_build. I'll see if I can add this somehow as well.

yorickpeterse commented 11 years ago

On second thought, how exactly would you hook this in? Using the above hook would mean that every Gem you ever build will be signed by your credentials and I'm not sure if that's something people would want to happen.

postmodern commented 11 years ago

Ah right. I guess an option needs to be specified. Trying to think of the least intrusive way to support gem signing in rubygems-tasks.

postmodern commented 11 years ago

I will consider creating rubygems-tasks-pgp which might override the build:gem task and either use Gem::OpenPGP, shell out or use some gpgme library.

grant-olson commented 11 years ago

You can now specify --verify in the gem install command. This can be added to ~/.gemrc if you want it to be default behavior.