Installing a gem allows that gem’s code to run in the context of your application. Clearly this has security implications: installing a malicious gem on a server could ultimately result in that server being completely penetrated by the gem’s author. Because of this, the security of gem code is a topic of active discussion within the Ruby community.
RubyGems has had the ability to cryptographically sign gems since version 0.8.11.
This signing works by using the gem cert
command
to create a key pair, and then packaging signing data inside the
gem itself.
[~/srcLPPruby/matrices_dispersas(master)]$ gem help cert Usage: gem cert [options] Options: -a, --add CERT Add a trusted certificate. -l, --list [FILTER] List trusted certificates where the subject contains FILTER -r, --remove FILTER Remove trusted certificates where the subject contains FILTER -b, --build EMAIL_ADDR Build private key and self-signed certificate for EMAIL_ADDR -C, --certificate CERT Signing certificate for --sign -K, --private-key KEY Key for --sign or --build -s, --sign CERT Signs CERT with the key from -K and the certificate from -C Common Options: -h, --help Get help on this command -V, --[no-]verbose Set the verbose level of output -q, --quiet Silence commands --config-file FILE Use this config file instead of default --backtrace Show stack backtrace on errors --debug Turn on Ruby debugging Summary: Manage RubyGems certificates and signing settings Description: The cert command manages signing keys and certificates for creating signed gems. Your signing certificate and private key are typically stored in ~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively. To build a certificate for signing gems: gem cert --build you@example If you already have an RSA key, or are creating a new certificate for an existing key: gem cert --build you@example --private-key /path/to/key.pem If you wish to trust a certificate you can add it to the trust list with: gem cert --add /path/to/cert.pem You can list trusted certificates with: gem cert --list or: gem cert --list cert_subject_substring If you wish to remove a previously trusted certificate: gem cert --remove cert_subject_substring To sign another gem author's certificate: gem cert --sign /path/to/other_cert.pem For further reading on signing gems see `ri Gem::Security`
The user needs to add the author or source site public key as a trusted certificate (you only need to do this once per author/site):
gem cert --add <(curl -Ls https://gist.github.com/sferik/4701180/raw/public_cert.pem)
The gem install
command optionally lets you set a
security policy
(via the option -P
or --trust-policy POLICY
which
specifies gem trust policy) and you can verify the signing key for a gem before
you install it:
gem install twitter -P HighSecurity
Available policies are:
However, this method of securing gems is not widely used. It requires a number of manual steps on the part of the developer, and there is no well-established chain of trust for gem signing keys.