Unsigned RubyGem

[Aupajo]

The argon2 gem is unsigned and cannot be installed with the HighSecurity option:

$ gem install -P HighSecurity argon2
ERROR:  While executing gem ... (Gem::Security::Exception)
    unsigned gems are not allowed by the High Security policy

If this is something you'd consider changing and aren't familiar with the process, https://guides.rubygems.org/security/#building-gems has some good instructions.

[technion]

I've regretted that I haven't had a "proper" answer to this for quite some time. Certainly in my ideal scenario, everything would be signed everywhere.

Even signed, you won't be able to install in HighSecurity mode because neither of our dependencies are signed. I've gone out of my way to utilise a very bare minimum of deps, but ffi isn't able to be avoided. Secondly, using the guide you've got, users are encouraged to grab the public key right from the same public Github repo we store the codebase on - significantly limiting the actual security offered here.

However in order to at least do something, I'm going to commit a certificate version and make a signed release soon.

[technion]

Unfortunately I'm going to have to revert this. Signing appears to work on some machines but then I go to verify on others and I just get this:

ERROR:  While executing gem ... (Gem::Security::Exception)
    no digests provided (probable bug)

I've reviewed common gems and there's no certificates shipped with libsodium or bcrypt, two of the most trusted and significant crypto libraries.

[joshbuker]

Certainly in my ideal scenario, everything would be signed everywhere.

I would highly recommend signing your git commits. For guidance, see: https://docs.github.com/articles/signing-commits-with-gpg/