search

rubygems / rubygems.org

The Ruby community's gem hosting service.
https://rubygems.org
MIT License
2.33k stars 925 forks source link

Include signature information for versions #2079

Closed matiaskorhonen closed 3 years ago

matiaskorhonen commented 5 years ago

Would it be possible to include details about whether a gem version has been cryptographically signed or not in the versions table?

At the moment it seems like the only way to tell if a gem has been signed or not would be to download the whole gem and check for the signature after unpacking it.

I was hoping to check how many gems even had signatures, so downloading every gem on RubyGems.org isn't really feasible (and wouldn't be a good use of RubyGems.org resources either).

I don't know if it would be useful to expose that information on the site or the API at the moment, but having it as an option could be useful in the future.

I would be happy to submit a PR if someone points me in the right direction for what would be the best place to add this sort of code…

rubyFeedback commented 5 years ago

May be useful.

I have a question, though - within this context, what exactly is meant with a "signature"? Does this mean that gem authors may have to do an additional step?

If you only need this information in the form as statistics then perhaps that could be shown perhaps at:

https://rubygems.org/stats

On the bottom area; or perhaps with an URI such as:

https://rubygems.org/stats_signature
https://rubygems.org/stats/signatures

Or something like this (just generating ideas really).

I would be happy to submit a PR if someone points me in the right direction for what would be the best place to add this sort of code

I can't say; I am not among the rubygems.org maintainers, so I can only give an opinion. But I believe before a PR, I would wait until a few folks have commented on the issue; and to perhaps decide what exactly needs to be changed, e. g. something like a todo list (I think it's fine if you just start with any list; indirect and others can give ideas if something has to be improved upon, IMO).

matiaskorhonen commented 5 years ago

I was referring to the X.509 cryptographic signatures that are supported by RubyGems.

I'd like to know how many gems include them what are the most popular gems that have been signed…

simi commented 4 years ago

@matiaskorhonen AFAIK we do not store information if gem is signed in metadata. It would be interesting to ingest that information on gem push and store this in bool flag on versions table.

Once done, we would be able to also inform users in rubygems.org gem page.

svoop commented 4 years ago

@simi Are you sure? Looking at the metadata, I see the cert_chain which at least suggests everything is in place for signing the gem:

--- !ruby/object:Gem::Specification
name: aipp
version: !ruby/object:Gem::Version
  version: 0.2.6
(...)
cert_chain:
- |
  -----BEGIN CERTIFICATE-----
  MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQ0wCwYDVQQDDARydWJ5
  MRkwFwYKCZImiZPyLGQBGRYJYml0Y2V0ZXJhMRMwEQYKCZImiZPyLGQBGRYDY29t
  MB4XDTIwMDMxNDE5NDgwNVoXDTIxMDMxNDE5NDgwNVowPzENMAsGA1UEAwwEcnVi
  eTEZMBcGCgmSJomT8ixkARkWCWJpdGNldGVyYTETMBEGCgmSJomT8ixkARkWA2Nv
  bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4k2DCa8/eAFiak4Kwe
  0Iu8dk0JfHWeywjVVSNv6PtnQ96B/1jLmw5Wb+xYJSyvG6KEOzEMWA/lqO+nIrdO
  2LDRxuWojH5GROp/dtQ+SxsWlvui4cs9iBmI5Mj0mc1UgST3UFf60ry8OnyR+E9N
  RVVZZykAGmxwyAqD1aq5Yt0lZMdvrGnaLWcZdKC99e812pdTN948k8Iw2GJAaNtH
  Tp17XDfDNBANHjYy9xCqrxvNTfT4Bs43rPA1A77+mkPgI2Vx51u2CWA+K3hP4gAZ
  F50xqnagzgXSOzCme1mC/sUUmoAAB39g2CuNocWuhv0R3/HeqdwAsA/1XpDF2NfQ
  zW8CAwEAAaN3MHUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFDfY
  gRWUI+J6nX7Po7Zq0zvDopfYMB0GA1UdEQQWMBSBEnJ1YnlAYml0Y2V0ZXJhLmNv
  bTAdBgNVHRIEFjAUgRJydWJ5QGJpdGNldGVyYS5jb20wDQYJKoZIhvcNAQEFBQAD
  ggEBAFsTSBbxIkTdppL8yFl0KglyUMq9DjkMwvz7ORJzHMfw1S2OmXMYnJ5fSXFu
  C/9puwYMdD6V3THyqc1Rhj6RRZ/576MDwIXMgOETQfPTT6jNE+p4cRougDrQ32aV
  29WIAY21/o0FBuJZqxLDRTu6O7AHrjFnv7Kkpr1oYiR9G4MNEihyNt909nHnSixC
  qn5dLDjawWVvAz5oeD1sE0Kyp6CDY8i3NfBu4aqz8uAbaEJh3jpY5NW2Lv++s7hf
  EUqN8dad5Oosf9hYbfFXPzkJIIGiKMS4e1cbnAr/vadELoccfEN9tSlLuW/voNqA
  2635TmaVXxUEgIOzRhGlE1+frXI=
  -----END CERTIFICATE-----
date: 2020-03-15 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
  name: aixm
(...)

The cert contains more useful data, most notably the expiration date. This could be used to alert authors before the certs of the latest release expire – which happens easily and impacts this whole signing/validating approach.

simi commented 4 years ago

That's serialized gemspec if I understand that well. But we do not store this info in rubygems.org database for now. That's my idea to store it in there as well.

Dne so 4. 7. 2020 15:18 uživatel Sven Schwyn notifications@github.com napsal:

@simi https://github.com/simi Are you sure? Looking at the metadata, I see the cert_chain which at least suggests everything is in place for signing the gem:

--- !ruby/object:Gem::Specification

name: aipp

version: !ruby/object:Gem::Version

version: 0.2.6

(...)

cert_chain:

  • |

    -----BEGIN CERTIFICATE-----

    MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQ0wCwYDVQQDDARydWJ5

    MRkwFwYKCZImiZPyLGQBGRYJYml0Y2V0ZXJhMRMwEQYKCZImiZPyLGQBGRYDY29t

    MB4XDTIwMDMxNDE5NDgwNVoXDTIxMDMxNDE5NDgwNVowPzENMAsGA1UEAwwEcnVi

    eTEZMBcGCgmSJomT8ixkARkWCWJpdGNldGVyYTETMBEGCgmSJomT8ixkARkWA2Nv

    bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4k2DCa8/eAFiak4Kwe

    0Iu8dk0JfHWeywjVVSNv6PtnQ96B/1jLmw5Wb+xYJSyvG6KEOzEMWA/lqO+nIrdO

    2LDRxuWojH5GROp/dtQ+SxsWlvui4cs9iBmI5Mj0mc1UgST3UFf60ry8OnyR+E9N

    RVVZZykAGmxwyAqD1aq5Yt0lZMdvrGnaLWcZdKC99e812pdTN948k8Iw2GJAaNtH

    Tp17XDfDNBANHjYy9xCqrxvNTfT4Bs43rPA1A77+mkPgI2Vx51u2CWA+K3hP4gAZ

    F50xqnagzgXSOzCme1mC/sUUmoAAB39g2CuNocWuhv0R3/HeqdwAsA/1XpDF2NfQ

    zW8CAwEAAaN3MHUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFDfY

    gRWUI+J6nX7Po7Zq0zvDopfYMB0GA1UdEQQWMBSBEnJ1YnlAYml0Y2V0ZXJhLmNv

    bTAdBgNVHRIEFjAUgRJydWJ5QGJpdGNldGVyYS5jb20wDQYJKoZIhvcNAQEFBQAD

    ggEBAFsTSBbxIkTdppL8yFl0KglyUMq9DjkMwvz7ORJzHMfw1S2OmXMYnJ5fSXFu

    C/9puwYMdD6V3THyqc1Rhj6RRZ/576MDwIXMgOETQfPTT6jNE+p4cRougDrQ32aV

    29WIAY21/o0FBuJZqxLDRTu6O7AHrjFnv7Kkpr1oYiR9G4MNEihyNt909nHnSixC

    qn5dLDjawWVvAz5oeD1sE0Kyp6CDY8i3NfBu4aqz8uAbaEJh3jpY5NW2Lv++s7hf

    EUqN8dad5Oosf9hYbfFXPzkJIIGiKMS4e1cbnAr/vadELoccfEN9tSlLuW/voNqA

    2635TmaVXxUEgIOzRhGlE1+frXI=

    -----END CERTIFICATE-----

date: 2020-03-15 00:00:00.000000000 Z

dependencies:

  • !ruby/object:Gem::Dependency

    name: aixm

(...)

The cert contains more useful data, most notably the expiration date. This could be used to alert authors before the certs of the latest release expire – which happens easily and impacts this whole signing/validating approach.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/rubygems/rubygems.org/issues/2079#issuecomment-653758885, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABPLEDE73XCXB2YJJFBFYDRZ4M2RANCNFSM4IJC4KTQ .

sonalkr132 commented 3 years ago

closed by #2814