gem cert: Gem Security

Installing a gem allows that gem’s code to run in the context of your application. Clearly this has security implications: installing a malicious gem on a server could ultimately result in that server being completely penetrated by the gem’s author. Because of this, the security of gem code is a topic of active discussion within the Ruby community.

RubyGems has had the ability to cryptographically sign gems since version 0.8.11.

gem cert

This signing works by using the gem cert command to create a key pair, and then packaging signing data inside the gem itself.

[~/srcLPPruby/matrices_dispersas(master)]$ gem help cert
Usage: gem cert [options]

    -a, --add CERT                   Add a trusted certificate.
    -l, --list [FILTER]              List trusted certificates where the
                                     subject contains FILTER
    -r, --remove FILTER              Remove trusted certificates where the
                                     subject contains FILTER
    -b, --build EMAIL_ADDR           Build private key and self-signed
                                     certificate for EMAIL_ADDR
    -C, --certificate CERT           Signing certificate for --sign
    -K, --private-key KEY            Key for --sign or --build
    -s, --sign CERT                  Signs CERT with the key from -K
                                     and the certificate from -C

  Common Options:
    -h, --help                       Get help on this command
    -V, --[no-]verbose               Set the verbose level of output
    -q, --quiet                      Silence commands
        --config-file FILE           Use this config file instead of default
        --backtrace                  Show stack backtrace on errors
        --debug                      Turn on Ruby debugging

    Manage RubyGems certificates and signing settings

    The cert command manages signing keys and certificates for creating signed
    gems.  Your signing certificate and private key are typically stored in
    ~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively.
    To build a certificate for signing gems:
      gem cert --build you@example
    If you already have an RSA key, or are creating a new certificate for an
    existing key:
      gem cert --build you@example --private-key /path/to/key.pem
    If you wish to trust a certificate you can add it to the trust list with:
      gem cert --add /path/to/cert.pem
    You can list trusted certificates with:
      gem cert --list
      gem cert --list cert_subject_substring
    If you wish to remove a previously trusted certificate:
      gem cert --remove cert_subject_substring
    To sign another gem author's certificate:
      gem cert --sign /path/to/other_cert.pem
    For further reading on signing gems see `ri Gem::Security`

The user needs to add the author or source site public key as a trusted certificate (you only need to do this once per author/site):

gem cert --add <(curl -Ls

Security Policy: gem install twitter -P HighSecurity

The gem install command optionally lets you set a security policy (via the option -P or --trust-policy POLICY which specifies gem trust policy) and you can verify the signing key for a gem before you install it:

gem install twitter -P HighSecurity

Available Policies

Available policies are:

  1. NoSecurity - Well, no security at all. Signed packages are treated like unsigned packages.

  2. LowSecurity - Pretty much no security. If a package is signed then RubyGems will make sure the signature matches the signing certificate, and that the signing certificate hasn't expired, but that's it. A malicious user could easily circumvent this kind of security.

  3. MediumSecurity - Better than LowSecurity and NoSecurity, but still fallible. Package contents are verified against the signing certificate, and the signing certificate is checked for validity, and checked against the rest of the certificate chain. The biggest improvement over LowSecurity is that MediumSecurity won't install packages that are signed by untrusted sources. Unfortunately, MediumSecurity still isn't totally secure – a malicious user can still unpack the gem, strip the signatures, and distribute the gem unsigned.
  4. HighSecurity - The HighSecurity policy is identical to the MediumSecurity policy, except that it does not allow unsigned gems. A malicious user can't modify the package contents without invalidating the signature, and he can't modify or remove signature or the signing certificate chain

However, this method of securing gems is not widely used. It requires a number of manual steps on the part of the developer, and there is no well-established chain of trust for gem signing keys.


  1. Ruby Gems: Using High Security Trust Policy
  2. A Practical Guide to Using Signed Ruby Gems - Part 1: Bundler
  3. A Practical Guide to Using Signed Ruby Gems - Part 2: Heroku

Casiano Rodriguez León 2015-01-07