Skip to content

Instantly share code, notes, and snippets.

@bf4

bf4/rubygem_questions.md

Last active December 17, 2015 01:09
Show Gist options
  • Save bf4/5526451 to your computer and use it in GitHub Desktop.
Save bf4/5526451 to your computer and use it in GitHub Desktop.
Download ZIP
Building a RubyGem, questions
Raw
rubygem_questions.md

RubyGem building

What do you think of building a gem with rubygems/package_task ?

Rakefile

require 'rubygems/package_task'
GEMSPEC = Gem::Specification.load('ruby-lint.gemspec')

Dir['./task/*.rake'].each do |task|
  import(task)
end

Gem::PackageTask.new(GEMSPEC) do |pkg|
  pkg.need_tar = false
  pkg.need_zip = false
end

and using a checksum

like https://github.com/YorickPeterse/ruby-lint/commit/daa816f50cf5bb1272e5296c0db4d73bb525bd8a

Rakefile

require 'digest/sha2'

task/checksum.rake

desc 'Creates a SHA512 checksum of the current version'
task :checksum do
  checksums = File.expand_path('../../checksum', __FILE__)
  name      = "#{GEMSPEC.name}-#{GEMSPEC.version}.gem"
  path      = File.join(File.expand_path('../../pkg', __FILE__), name)

  checksum_name = File.basename(path) + '.sha512'
  checksum      = Digest::SHA512.new.hexdigest(File.read(path))

  File.open(File.join(checksums, checksum_name), 'w') do |handle|
    handle.write(checksum)
  end
end

and pgp / gpg

e.g. https://github.com/YorickPeterse/ruby-lint#security

To ensure that people can't tamper with the ruby-lint Gem once it's being distributed as a .gem file the Gem is signed using GNUPG (using the rubygems-openpgp Gem). If you have this Gem installed it's recommended that you install ruby-lint as following:

gem install ruby-lint --verify --trust

Unless you have my GPG public key and have marked it as trusted this process will fail. For signing Gems I use the public key 3649F444 registered to "Yorick Peterse" using Email address [email protected].

You can add this key by running the following command:

gpg --recv-keys 3649F444

In case you don't use GPG but still want some form of verification you can use the checksums that are located in the "checksum" directory. These checksums are SHA512 checksums of entire Gem files and can be verified using the sha512sum command.

or a trusted certificate

e.g. https://github.com/sferik/twitter#installation

To ensure the code you're installing hasn't been tampered with, it's recommended that you verify the signature. To do this, you need to add my public key as a trusted certificate (you only need to do this once):

gem cert --add <(curl -Ls https://gist.github.com/sferik/4701180/raw/public_cert.pem)

Then, install the gem with the high security trust policy:

gem install twitter -P HighSecurity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment