08 November 2013

I recently decided to distribute MetricFu as a cryptographically signed gem, using the RubyGems gemspec.

I found it really hard to find documentation, so I’m sharing what I learned.

Signing and building your gem

1) Create self-signed gem cert

cd ~/.ssh
gem cert --build your@email.com
chmod 600 gem-p*
  • use the email address you specify in your gemspecs

2) Configure gemspec with cert

  • Add cert public key to your repository
cd /path/to/your/gem
mkdir certs
cp ~/.ssh/gem-public_cert.pem certs/yourhandle.pem
git add certs/yourhandle.pem

I named the cert in metric_fu bf4.pem since that is my github username

  • Add cert paths to your gemspec
 s.cert_chain  = ['certs/yourhandle.pem']
 s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/

3) Add your own cert to your approved list, just like anyone else

gem cert --add certs/bf4.pem

4) Build gem and test that you can install it

gem build metric_fu.gemspec
gem install metric_fu-4.5.1.gem -P HighSecurity

Example instructions for others to install

MetricFu is cryptographically signed. To be sure the gem you install hasn’t been tampered with:

Add my public key (if you haven’t already) as a trusted certificate gem cert –add <(curl -Ls https://raw.github.com/metricfu/metric_fu/master/certs/bf4.pem) gem install metric_fu -P HighSecurity This may cause installation to fail if non-signed dependent gems are also being installed.

References:

Updates:



blog comments powered by Disqus