My Profile Photo

My personal blog. Software, devops, security, music, and general nerditry.

How to sign your Ruby gems

In light of the recent Rubygems security issues, I’ve been adding signatures to my own gems, and encouraging other gem authors to do the same by opening issues on various Github projects. Gem signing coupled with publication of a pubkey allows people to verify the authenticity of your published gems against your repository, so that they can be certain that the gems they are downloading from Rubygems (or where ever) are authentic and were actually released by you, the gem author (as opposed to, say, backdoored and uploaded to Rubygems by a malicious entity in the event of another security breach).

The how-to is here:


  1. gem cert --build
  2. Copy the private key somewhere safe (I use ~/.gemcert)
  3. Add the public key to the repo (git add gem-public_cert.pem)
  4. Update the gemspec with something like:

    ~~~ruby s.signing_key = ‘/home/chris/.gemcert/gem-private_key.pem’ s.cert_chain = [‘gem-public_cert.pem’] ~~~

  5. Push and rake release

While this does mean that your gem is signed by a self-signed certificate, and thus the lack of chain-of-trust means that your gem would not be verifiable if your Github credentials or machine housing your private key were compromised, it provides a layer of verification between source and package publication platforms, and would allow for much speedier community recovery in the event of a future breach.

This is quick, easy, and has no downside. I encourage all gem authors to immediately add signatures to their gems, and for all gem users to open or support issues on your favorite gem projects to encourage their maintainers to do the same.

comments powered by Disqus