Explore options for gem signing

[tannalynn]

Lets explore setting up gem signing or investigate some alternatives.

[workato-integration[bot]]

https://new-relic.atlassian.net/browse/NR-185718

[fallwith]

The .gem files available from RubyGems.org are gzipped tarballs and they contain a gzipped checksums.yaml file. I wonder if the checksums stored within that file could establish trust.

Unfortunately if you clone our repo or download a source release from our repo's releases page and build the gem yourself, the resulting checksums stored in the newly built file will likely differ from the values the CD pipeline was able to produce.

But if we could record the valid checksums created by CD in a location separate from RubyGems.org, the separate location could be used for verification purposes to establish trust.

Idea:

• Update the CD process so that after the .gem file is built but before it is published to RubyGems.org, it is exploded and the checksums are YAML parsed and recorded. Perhaps the checksums could be stored as a comment on the GitHub release page. Perhaps the checksums.yaml file could be checked in somewhere, such as .checksums/v9.7.0.yaml.
• Now when someone obtains a copy of our gem, they can explode it and perform a checksum operation on the data.tar.gz file. They can then compare the checksum value with the one we have stored away from RubyGems.org.