Closed jfelchner closed 1 year ago
We will sign this gem when Rubygems have a good way to sign gems. As it doesn't have yet, I'll mark this closed, but I'll make sure we work in improving how Rubygems sign gems.
@rafaelfranca I don't understand "a good way to sign gems" can you elaborate? I sign all my gems. It's part of the build process. It's very easy.
https://github.com/rubygems/rfcs/pull/37
Perhaps for a single person gem the approach of using certificates to sign gem is ok. But for a gem like Thor, that have several maintainer, passing a private certificate around is prone to so many attack vectors, that isn't worthy doing.
There are a lot of attacks that deal with spoofing dependencies and other supply chain attacks. Because
thor
is one of the most popular gems (and is a foundation for a lot of CLI-based apps), I think it makes sense to sign the gem releases so that users can be sure we're getting the genuine article.By signing
thor
, any gem that depends on it can be installed withHighSecurity
enabled.This should be fairly trivial since
thor
has no runtime dependencies.This is an older but still accurate step-by-step guide on how to do it.