Last Updated: February 25, 2016
· rares

Signing Gems

Given the recent hacking of rubygems.org some concern has been raised over code execution of downloaded gems on install.

The good news is that rubygems does offer some level of protection to the client when installing .gem files them as long as the gem author has signed the gem itself.

To sign a gem:

$ gem cert --build replace.yourname@yourdomain.com

This will produce two files: gem-publiccert.pem and gem-privatekey.pem.
gem-privatekey.pem must be moved to a secure place (this is a topic unto itself but needless to say, don't share its location or contents with anyone. A USB stick or some other external device that can be disconnected might be a good start). The gem-publiccert.pem will be distributed with each gem that you sign.

The last step will be telling the .gemspec to use these files:

gem.signing_key   = "/private/path/that/is/secure/gem-private_key.pem"
gem.cert_chain    = ["gem-public_cert.pem"]

Then build the gem and deploy as usual. When installing this gem, the user can now make assertions that the signature must be valid and the gem is created by the actual author:

$ gem install option-1.0.1.gem -P HighSecurity

Before the above line is successfully run however, we have to trust the public certificate, which you can get by examining the source code of the gem (not the .gem that was downloaded, code published to a trusted source):

$ gem cert --add gem-public_cert.pem

The install should succeed now.