tarcieri
commented
11 years ago Yes, this, please. As Ben Smith's talk demonstrated, without this it's quite trivial for malicious gems to steal your gem credentials and/or use them to publish malicious payloads in your gems (e.g. someone could make a RubyGems worm that infects legitimate gems with malicious code then publishes them)
nyarly
pietro
The current gem cert --build builds a passphrase-less key and advises you to keep the key safe. As I recall, that was reason number one I decided gem certificates weren't worth using.
So:
a) gem cert --build should ask for a passphrase and (possibilty) refuse to create a key with an empty passphrase.
b) To reduce the frustration of needing to enter a password with every gem push or gem cert --sign (which honestly shouldn't be that big a deal), compatibility with ssh-agent and friends for key management would be nice.