Please Sign This Gem To Allow Verified Installations

rails / thor

Thor is a toolkit for building powerful command-line interfaces.

http://whatisthor.com/

MIT License

5.11k stars 552 forks source link

Please Sign This Gem To Allow Verified Installations #816

Closed jfelchner closed 1 year ago

jfelchner commented 1 year ago

There are a lot of attacks that deal with spoofing dependencies and other supply chain attacks. Because thor is one of the most popular gems (and is a foundation for a lot of CLI-based apps), I think it makes sense to sign the gem releases so that users can be sure we're getting the genuine article.

By signing thor, any gem that depends on it can be installed with HighSecurity enabled.

This should be fairly trivial since thor has no runtime dependencies.

This is an older but still accurate step-by-step guide on how to do it.

rafaelfranca commented 1 year ago

We will sign this gem when Rubygems have a good way to sign gems. As it doesn't have yet, I'll mark this closed, but I'll make sure we work in improving how Rubygems sign gems.

jfelchner commented 1 year ago

@rafaelfranca I don't understand "a good way to sign gems" can you elaborate? I sign all my gems. It's part of the build process. It's very easy.

jfelchner commented 1 year ago

https://guides.rubygems.org/security/

rafaelfranca commented 1 year ago

https://github.com/rubygems/rfcs/pull/37

Perhaps for a single person gem the approach of using certificates to sign gem is ok. But for a gem like Thor, that have several maintainer, passing a private certificate around is prone to so many attack vectors, that isn't worthy doing.