jwt-pq 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50b794a7ae8858987b6ec5608deef2c56e1e7ae89dca00da9e8cfbea14999f06
-  data.tar.gz: a2c66e4bca2430f9f443dcef4d2c8d6a92ce619576ae4c99f1fa61ddef7935aa
+  metadata.gz: cc80be78087261982368d78df297e89720290aa2c1252ed7b3b1f44298dd4856
+  data.tar.gz: f4c95127b8f0aab465029c1eedff1e0ef37c6e1342348f3286bc396e26ef6961
 SHA512:
-  metadata.gz: ffb6709911168e143e1babc9d1c2209ab5ceaed573529b801f72ba1d20f13cd26575b8c6db6c754e2028c7e695fe492b5ce052fd5b6b002fa5ee7d530f0ea479
-  data.tar.gz: a2f9e6837f2995d09c67576ab317358cbf32b23349416c127c2d11bbbeb91c5ea81d9c914e6f302bb23bf874cd1cd48714af903d9b663f7e4dea62bb04b135d8
+  metadata.gz: 3498399528c54d624c93ca00f1c6a884cb6db6591dd861cc26409aa58502a8ecf1ae1bd6901c7fb5b8d1ebe44cd5462661757b299dc8f7127100b60d9153d5ed
+  data.tar.gz: 22a25bf0c7f3562f226a88832dba44ee164964328dcf2c2841a0c6ea286a585bd7f85c5237d5356d6272fc1ff3ef1ca3cf63f5b4057e91ef8895a22a2d75ff3b

data/CHANGELOG.md

@@ -5,6 +5,43 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [0.2.0] - 2026-04-06
+
+### Added
+
+- Vendored liboqs build — `gem install jwt-pq` now compiles liboqs from source automatically
+- `Key#destroy!` and `HybridKey#destroy!` for explicit zeroization of private key material
+- `--use-system-libraries` escape hatch for users with pre-installed liboqs
+- `JWT_PQ_LIBOQS_SOURCE` env var for air-gapped environments
+- Path traversal protection in tarball extraction (defense-in-depth)
+- Smoke test job in CI (builds gem, installs, runs end-to-end verification)
+- Weekly CI schedule to catch dependency breakage
+- Dependabot for automated dependency updates
+- Secret scanning and push protection
+- Code coverage with SimpleCov and Codecov
+
+### Changed
+
+- CMake and a C compiler (gcc/clang) are now required at install time
+- `Key#inspect` and `HybridKey#inspect` no longer expose private key material
+- `Key.resolve_algorithm` is now a private class method
+- `JWK::ALGORITHMS` derived from `MlDsa::ALGORITHMS` (single source of truth)
+- Pin CI actions to commit SHAs for security
+- Use `Net::HTTP` instead of `URI.open` for tarball download
+- Restrict CI workflow GITHUB_TOKEN permissions to `contents: read`
+
+### Fixed
+
+- ML-DSA verify with invalid key type now raises `DecodeError` instead of `EncodeError`
+- JWK import now validates missing `pub` field and malformed base64url input
+- FFI memory holding secret keys is now zeroed after use
+
+### Dependencies
+
+- Bump codecov/codecov-action from 5.5.4 to 6.0.0
+
 ## [0.1.0] - 2026-04-04
 
 ### Added
@@ -18,3 +55,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Concatenated signature format: Ed25519 (64B) || ML-DSA
   - Optional dependency on jwt-eddsa / ed25519
 - Error classes: `LiboqsError`, `KeyError`, `SignatureError`, `MissingDependencyError`
+
+[Unreleased]: https://github.com/marcelopazzo/jwt-pq/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/marcelopazzo/jwt-pq/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/marcelopazzo/jwt-pq/releases/tag/v0.1.0

data/Gemfile

@@ -5,6 +5,7 @@ source "https://rubygems.org"
 gemspec
 
 group :development, :test do
+  gem "rake"
   gem "rspec", "~> 3.13"
   gem "rubocop", "~> 1.75"
   gem "rubocop-rspec", "~> 3.0"
@@ -13,4 +14,5 @@ end
 group :test do
   gem "jwt-eddsa", "~> 0.9"
   gem "simplecov", require: false
+  gem "simplecov-cobertura", require: false
 end

data/README.md

@@ -1,5 +1,9 @@
 # jwt-pq
 
+[![Gem Version](https://badge.fury.io/rb/jwt-pq.svg)](https://rubygems.org/gems/jwt-pq)
+[![CI](https://github.com/marcelopazzo/jwt-pq/actions/workflows/ci.yml/badge.svg)](https://github.com/marcelopazzo/jwt-pq/actions/workflows/ci.yml)
+[![codecov](https://codecov.io/gh/marcelopazzo/jwt-pq/graph/badge.svg)](https://codecov.io/gh/marcelopazzo/jwt-pq)
+
 Post-quantum JWT signatures for Ruby. Adds **ML-DSA** (FIPS 204) support to the [ruby-jwt](https://github.com/jwt/ruby-jwt) ecosystem, with an optional **hybrid EdDSA + ML-DSA** mode.
 
 ## Features
@@ -13,27 +17,7 @@ Post-quantum JWT signatures for Ruby. Adds **ML-DSA** (FIPS 204) support to the
 ## Requirements
 
 - Ruby >= 3.2
-- [liboqs](https://github.com/open-quantum-safe/liboqs) (shared library)
-
-### Installing liboqs
-
-```bash
-# macOS
-brew install cmake ninja
-git clone --depth 1 https://github.com/open-quantum-safe/liboqs
-cd liboqs && mkdir build && cd build
-cmake -GNinja -DBUILD_SHARED_LIBS=ON ..
-ninja && sudo ninja install
-
-# Ubuntu / Debian
-sudo apt-get install cmake ninja-build
-git clone --depth 1 https://github.com/open-quantum-safe/liboqs
-cd liboqs && mkdir build && cd build
-cmake -GNinja -DBUILD_SHARED_LIBS=ON ..
-ninja && sudo ninja install && sudo ldconfig
-```
-
-You can also set the `OQS_LIB` environment variable to point to a custom `liboqs.so` / `liboqs.dylib` path.
+- CMake >= 3.15 and a C compiler — gcc or clang (for building the bundled liboqs)
 
 ## Installation
 
@@ -45,6 +29,22 @@ gem "jwt-pq"
 gem "jwt-eddsa"
 ```
 
+liboqs is automatically compiled from source during gem installation (ML-DSA algorithms only, ~30 seconds).
+
+### Using system liboqs
+
+If you prefer to use a system-installed liboqs:
+
+```bash
+gem install jwt-pq -- --use-system-libraries
+# or
+JWT_PQ_USE_SYSTEM_LIBRARIES=1 gem install jwt-pq
+# or in Bundler
+bundle config build.jwt-pq --use-system-libraries
+```
+
+You can also point to a specific library with `OQS_LIB=/path/to/liboqs.dylib`.
+
 ## Usage
 
 ### Basic ML-DSA signing
@@ -133,9 +133,10 @@ The `alg` header values follow a `ClassicAlg+PQAlg` convention. The IETF draft `
 ## Development
 
 ```bash
-bundle install
-OQS_LIB=/path/to/liboqs.dylib bundle exec rspec
-bundle exec rubocop
+bundle install          # compiles liboqs automatically
+bundle exec rspec       # run tests
+bundle exec rubocop     # lint
+rake compile            # recompile liboqs manually
 ```
 
 ## License

data/Rakefile

@@ -5,4 +5,12 @@ require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new(:spec)
 
+desc "Compile the liboqs extension"
+task :compile do
+  Dir.chdir("ext/jwt/pq") do
+    ruby "extconf.rb"
+    sh "make"
+  end
+end
+
 task default: :spec

data/bin/smoke.rb

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "jwt/pq"
+
+puts "jwt-pq v#{JWT::PQ::VERSION} smoke test"
+
+# ML-DSA-65 sign/verify round-trip
+key = JWT::PQ::Key.generate(:ml_dsa_65)
+token = JWT.encode({ "sub" => "smoke-test" }, key, "ML-DSA-65")
+decoded = JWT.decode(token, key, true, algorithms: ["ML-DSA-65"])
+
+raise "Decode failed" unless decoded.first["sub"] == "smoke-test"
+
+puts "ML-DSA-65 sign/verify: OK"
+
+# PEM round-trip
+pub_pem = key.to_pem
+restored = JWT::PQ::Key.from_pem(pub_pem)
+decoded = JWT.decode(token, restored, true, algorithms: ["ML-DSA-65"])
+
+raise "PEM round-trip failed" unless decoded.first["sub"] == "smoke-test"
+
+puts "PEM round-trip: OK"
+
+# JWK round-trip
+jwk = JWT::PQ::JWK.new(key)
+imported = JWT::PQ::JWK.import(jwk.export)
+decoded = JWT.decode(token, imported, true, algorithms: ["ML-DSA-65"])
+
+raise "JWK round-trip failed" unless decoded.first["sub"] == "smoke-test"
+
+puts "JWK round-trip: OK"
+
+# Key destroy
+key.destroy!
+raise "destroy! failed" if key.private?
+
+puts "Key#destroy!: OK"
+puts "All smoke tests passed"

data/ext/jwt/pq/extconf.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+require "mkmf"
+require "fileutils"
+require "net/http"
+require "uri"
+require "digest"
+require "rubygems/package"
+require "zlib"
+require "etc"
+require "tmpdir"
+
+LIBOQS_VERSION = "0.15.0"
+LIBOQS_SHA256 = "3983f7cd1247f37fb76a040e6fd684894d44a84cecdcfbdb90559b3216684b5c"
+LIBOQS_URL = "https://github.com/open-quantum-safe/liboqs/archive/refs/tags/#{LIBOQS_VERSION}.tar.gz"
+
+PACKAGE_ROOT_DIR = File.expand_path("../../..", __dir__)
+VENDOR_DIR = File.join(PACKAGE_ROOT_DIR, "lib", "jwt", "pq", "vendor")
+
+def write_dummy_makefile
+  File.write("Makefile", <<~MAKEFILE)
+    all:
+    \t@echo "jwt-pq: nothing to compile"
+    install:
+    \t@echo "jwt-pq: nothing to install"
+    clean:
+    \t@echo "jwt-pq: nothing to clean"
+  MAKEFILE
+end
+
+def use_system_libraries?
+  ENV.key?("JWT_PQ_USE_SYSTEM_LIBRARIES") ||
+    enable_config("system-libraries", false)
+end
+
+def check_cmake!
+  cmake = find_executable("cmake")
+  unless cmake
+    abort <<~MSG
+      ERROR: cmake is required to compile liboqs for jwt-pq.
+
+      Install it with:
+        macOS:  brew install cmake
+        Ubuntu: sudo apt-get install cmake
+
+      Alternatively, install liboqs manually and use:
+        gem install jwt-pq -- --use-system-libraries
+    MSG
+  end
+  cmake
+end
+
+def download_via_http(url, dest_path, redirect_limit = 5)
+  abort "ERROR: too many redirects downloading liboqs" if redirect_limit.zero?
+
+  uri = URI.parse(url)
+  response = Net::HTTP.get_response(uri)
+
+  case response
+  when Net::HTTPSuccess
+    File.binwrite(dest_path, response.body)
+  when Net::HTTPRedirection
+    download_via_http(response["location"], dest_path, redirect_limit - 1)
+  else
+    abort "ERROR: failed to download liboqs (HTTP #{response.code}): #{uri}"
+  end
+end
+
+def download_source(dest_dir)
+  tarball_path = File.join(dest_dir, "liboqs-#{LIBOQS_VERSION}.tar.gz")
+
+  # Support local tarball via env var (for air-gapped environments)
+  source = ENV.fetch("JWT_PQ_LIBOQS_SOURCE", LIBOQS_URL)
+
+  $stdout.puts "jwt-pq: downloading liboqs #{LIBOQS_VERSION}..."
+  if source.start_with?("http")
+    download_via_http(source, tarball_path)
+  else
+    FileUtils.cp(source, tarball_path)
+  end
+
+  # Verify checksum
+  actual = Digest::SHA256.file(tarball_path).hexdigest
+  unless actual == LIBOQS_SHA256
+    abort "ERROR: SHA-256 mismatch for liboqs tarball.\n" \
+          "  Expected: #{LIBOQS_SHA256}\n" \
+          "  Got:      #{actual}"
+  end
+
+  tarball_path
+end
+
+def extract_tarball(tarball_path, dest_dir)
+  $stdout.puts "jwt-pq: extracting liboqs #{LIBOQS_VERSION}..."
+  File.open(tarball_path, "rb") do |file|
+    Zlib::GzipReader.wrap(file) do |gz|
+      Gem::Package::TarReader.new(gz) do |tar|
+        tar.each do |entry|
+          dest = File.expand_path(File.join(dest_dir, entry.full_name))
+          unless dest.start_with?("#{File.expand_path(dest_dir)}/")
+            abort "ERROR: path traversal detected in tarball: #{entry.full_name}"
+          end
+
+          if entry.directory?
+            FileUtils.mkdir_p(dest)
+          elsif entry.file?
+            FileUtils.mkdir_p(File.dirname(dest))
+            File.binwrite(dest, entry.read)
+            File.chmod(entry.header.mode, dest) if entry.header.mode && entry.header.mode > 0
+          end
+        end
+      end
+    end
+  end
+
+  File.join(dest_dir, "liboqs-#{LIBOQS_VERSION}")
+end
+
+def build_liboqs(source_dir)
+  build_dir = File.join(source_dir, "build")
+  FileUtils.mkdir_p(build_dir)
+  FileUtils.mkdir_p(VENDOR_DIR)
+
+  nproc = begin
+    Etc.nprocessors
+  rescue StandardError
+    2
+  end
+
+  # Semicolons are cmake list separators (safe here — system() uses execvp, no shell)
+  cmake_args = %W[
+    -DBUILD_SHARED_LIBS=ON
+    -DOQS_MINIMAL_BUILD=SIG_ml_dsa_44;SIG_ml_dsa_65;SIG_ml_dsa_87
+    -DOQS_BUILD_ONLY_LIB=ON
+    -DOQS_USE_OPENSSL=OFF
+    -DCMAKE_BUILD_TYPE=Release
+    -DCMAKE_INSTALL_PREFIX=#{VENDOR_DIR}
+    -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+  ]
+
+  # Use Ninja if available (faster), fall back to Make
+  if find_executable("ninja")
+    cmake_args << "-GNinja"
+  end
+
+  $stdout.puts "jwt-pq: configuring liboqs #{LIBOQS_VERSION} (ML-DSA only)..."
+  unless system("cmake", "-S", source_dir, "-B", build_dir, *cmake_args)
+    abort "ERROR: cmake configure failed for liboqs"
+  end
+
+  $stdout.puts "jwt-pq: compiling liboqs (using #{nproc} cores)..."
+  unless system("cmake", "--build", build_dir, "--parallel", nproc.to_s)
+    abort "ERROR: cmake build failed for liboqs"
+  end
+
+  $stdout.puts "jwt-pq: installing liboqs to vendor directory..."
+  unless system("cmake", "--install", build_dir)
+    abort "ERROR: cmake install failed for liboqs"
+  end
+end
+
+def find_vendored_library
+  %w[dylib so].each do |ext|
+    path = File.join(VENDOR_DIR, "lib", "liboqs.#{ext}")
+    return path if File.exist?(path)
+  end
+  nil
+end
+
+# --- Main ---
+
+if use_system_libraries?
+  $stdout.puts "jwt-pq: using system liboqs (--use-system-libraries)"
+  write_dummy_makefile
+  exit 0
+end
+
+check_cmake!
+
+Dir.mktmpdir("jwt-pq-build") do |tmp_dir|
+  tarball = download_source(tmp_dir)
+  source_dir = extract_tarball(tarball, tmp_dir)
+  build_liboqs(source_dir)
+end
+
+lib_path = find_vendored_library
+if lib_path
+  $stdout.puts "jwt-pq: liboqs #{LIBOQS_VERSION} installed at #{lib_path}"
+else
+  abort "ERROR: liboqs shared library not found after build"
+end
+
+write_dummy_makefile

data/jwt-pq.gemspec

@@ -24,12 +24,14 @@ Gem::Specification.new do |spec|
     "rubygems_mfa_required" => "true"
   }
 
-  spec.requirements = ["liboqs >= 0.15.0 (shared library) — https://github.com/open-quantum-safe/liboqs"]
+  spec.requirements = ["cmake >= 3.15", "C compiler (gcc or clang)"]
 
   spec.post_install_message = <<~MSG
-    jwt-pq requires liboqs (shared library) to be installed on your system.
-    See https://github.com/marcelopazzo/jwt-pq#installing-liboqs for instructions.
-    For hybrid EdDSA+ML-DSA mode, also add 'jwt-eddsa' to your Gemfile.
+    jwt-pq compiles liboqs from source during installation.
+    If the build failed, ensure cmake and a C compiler are installed.
+    To use a system-installed liboqs instead:
+      gem install jwt-pq -- --use-system-libraries
+    For hybrid EdDSA+ML-DSA mode, add 'jwt-eddsa' to your Gemfile.
   MSG
 
   spec.files = Dir.chdir(__dir__) do
@@ -39,6 +41,7 @@ Gem::Specification.new do |spec|
     end
   end
 
+  spec.extensions = ["ext/jwt/pq/extconf.rb"]
   spec.require_paths = ["lib"]
 
   spec.add_dependency "ffi", "~> 1.15"

data/lib/jwt/pq/algorithms/ml_dsa.rb

@@ -15,13 +15,12 @@ module JWT
         end
 
         def sign(data:, signing_key:)
-          key = resolve_key(signing_key)
-          raise_sign_error!("Private key required for signing") unless key.private?
+          key = resolve_signing_key(signing_key)
           key.sign(data)
         end
 
         def verify(data:, signature:, verification_key:)
-          key = resolve_key(verification_key)
+          key = resolve_verification_key(verification_key)
           key.verify(data, signature)
         rescue JWT::PQ::Error
           false
@@ -29,9 +28,10 @@ module JWT
 
         private
 
-        def resolve_key(key)
+        def resolve_signing_key(key)
           case key
           when JWT::PQ::Key
+            raise_sign_error!("Private key required for signing") unless key.private?
             key
           else
             raise_sign_error!(
@@ -41,6 +41,18 @@ module JWT
           end
         end
 
+        def resolve_verification_key(key)
+          case key
+          when JWT::PQ::Key
+            key
+          else
+            raise_verify_error!(
+              "Expected a JWT::PQ::Key, got #{key.class}. " \
+              "Use JWT::PQ::Key.generate(:#{alg_symbol}) to create a key."
+            )
+          end
+        end
+
         def alg_symbol
           alg.downcase.tr("-", "_")
         end

data/lib/jwt/pq/hybrid_key.rb

@@ -51,6 +51,23 @@ module JWT
         "EdDSA+#{@ml_dsa_key.algorithm}"
       end
 
+      # Zero and discard private key material from both key components.
+      # After calling this, the key can only be used for verification.
+      def destroy!
+        @ml_dsa_key.destroy!
+        if @ed25519_signing_key
+          seed = @ed25519_signing_key.to_bytes
+          seed.replace("\0" * seed.bytesize)
+          @ed25519_signing_key = nil
+        end
+        true
+      end
+
+      def inspect
+        "#<#{self.class} algorithm=#{hybrid_algorithm} private=#{private?}>"
+      end
+      alias to_s inspect
+
       def self.require_eddsa_dependency!
         require "ed25519"
       rescue LoadError

data/lib/jwt/pq/jwk.rb

@@ -13,7 +13,7 @@ module JWT
     #   pub: base64url-encoded public key
     #   priv: base64url-encoded private key (optional)
     class JWK
-      ALGORITHMS = %w[ML-DSA-44 ML-DSA-65 ML-DSA-87].freeze
+      ALGORITHMS = MlDsa::ALGORITHMS.keys.freeze
       KTY = "AKP"
 
       attr_reader :key
@@ -44,10 +44,12 @@ module JWT
 
         validate_kty!(jwk)
         alg = validate_alg!(jwk)
-        pub_bytes = base64url_decode(jwk["pub"])
+        raise KeyError, "Missing 'pub' in JWK" unless jwk.key?("pub")
+
+        pub_bytes = decode_field(jwk, "pub")
 
         if jwk.key?("priv")
-          priv_bytes = base64url_decode(jwk["priv"])
+          priv_bytes = decode_field(jwk, "priv")
           Key.new(algorithm: alg, public_key: pub_bytes, private_key: priv_bytes)
         else
           Key.new(algorithm: alg, public_key: pub_bytes)
@@ -83,10 +85,12 @@ module JWT
       end
       private_class_method :normalize_keys
 
-      def self.base64url_decode(str)
-        ::Base64.urlsafe_decode64(str)
+      def self.decode_field(jwk, field)
+        ::Base64.urlsafe_decode64(jwk[field])
+      rescue ArgumentError => e
+        raise KeyError, "Invalid base64url in JWK '#{field}': #{e.message}"
       end
-      private_class_method :base64url_decode
+      private_class_method :decode_field
 
       private
 

data/lib/jwt/pq/key.rb

@@ -63,6 +63,21 @@ module JWT
         !@private_key.nil?
       end
 
+      # Zero and discard private key material from Ruby memory.
+      # After calling this, the key can only be used for verification.
+      def destroy!
+        if @private_key
+          @private_key.replace("\0" * @private_key.bytesize)
+          @private_key = nil
+        end
+        true
+      end
+
+      def inspect
+        "#<#{self.class} algorithm=#{@algorithm} private=#{private?}>"
+      end
+      alias to_s inspect
+
       # Import a Key from a PEM string (SPKI or PKCS#8).
       def self.from_pem(pem_string)
         info = PqcAsn1::DER.parse_pem(pem_string)
@@ -134,12 +149,12 @@ module JWT
         new(algorithm: alg_name, public_key: info.public_key, private_key: sk_bytes)
       end
 
-      private_class_method :extract_secure_bytes, :resolve_oid!, :build_from_pkcs8
+      private_class_method :resolve_algorithm, :extract_secure_bytes, :resolve_oid!, :build_from_pkcs8
 
       private
 
       def resolve_algorithm(algorithm)
-        self.class.resolve_algorithm(algorithm)
+        self.class.send(:resolve_algorithm, algorithm)
       end
 
       def validate!

data/lib/jwt/pq/liboqs.rb

@@ -6,29 +6,46 @@ module JWT
   module PQ
     # FFI bindings for liboqs signature operations.
     #
-    # The library search order:
+    # Library search order:
     #   1. OQS_LIB environment variable (explicit path)
-    #   2. System-installed liboqs (via standard library search)
+    #   2. Vendored liboqs (compiled during gem install)
+    #   3. System-installed liboqs (via standard library search)
     module LibOQS
       extend FFI::Library
 
       OQS_SUCCESS = 0
       OQS_ERROR = -1
 
-      # Determine library path
       def self.lib_path
+        # 1. Explicit path from environment
         return ENV["OQS_LIB"] if ENV["OQS_LIB"]
 
+        # 2. Vendored library (compiled during gem install)
+        vendored = vendored_lib_path
+        return vendored if vendored
+
+        # 3. System library
         "oqs"
       end
 
+      def self.vendored_lib_path
+        %w[dylib so].each do |ext|
+          path = File.join(__dir__, "vendor", "lib", "liboqs.#{ext}")
+          return path if File.exist?(path)
+        end
+        nil
+      end
+      private_class_method :vendored_lib_path
+
       begin
         ffi_lib lib_path
       rescue LoadError => e
         raise JWT::PQ::LiboqsError,
-              "liboqs not found. Install it via: brew install liboqs (macOS) or " \
-              "apt install liboqs-dev (Ubuntu). You can also set OQS_LIB to the " \
-              "full path of the shared library. Original error: #{e.message}"
+              "liboqs not found. The vendored library may not have been compiled " \
+              "during gem install. Ensure cmake and a C compiler are installed, " \
+              "then reinstall: gem install jwt-pq. Alternatively, install liboqs " \
+              "manually and set OQS_LIB to the full path. " \
+              "Original error: #{e.message}"
       end
 
       # OQS_SIG *OQS_SIG_new(const char *method_name)

data/lib/jwt/pq/ml_dsa.rb

@@ -39,6 +39,7 @@ module JWT
 
         [pk.read_bytes(@sizes[:public_key]), sk.read_bytes(@sizes[:secret_key])]
       ensure
+        sk&.clear
         LibOQS.OQS_SIG_free(sig) if sig && !sig.null?
       end
 
@@ -63,6 +64,7 @@ module JWT
         actual_len = sig_len.read(:size_t)
         sig_buf.read_bytes(actual_len)
       ensure
+        sk_buf&.clear
         LibOQS.OQS_SIG_free(sig) if sig && !sig.null?
       end
 

data/lib/jwt/pq/version.rb

@@ -2,6 +2,6 @@
 
 module JWT
   module PQ
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt-pq
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Marcelo Almeida
@@ -57,7 +57,8 @@ description: Adds ML-DSA-44, ML-DSA-65, and ML-DSA-87 post-quantum signature alg
 email:
 - contact@marcelopazzo.com
 executables: []
-extensions: []
+extensions:
+- ext/jwt/pq/extconf.rb
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
@@ -65,6 +66,8 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- bin/smoke.rb
+- ext/jwt/pq/extconf.rb
 - jwt-pq.gemspec
 - lib/jwt/pq.rb
 - lib/jwt/pq/algorithms/hybrid_eddsa.rb
@@ -86,9 +89,11 @@ metadata:
   documentation_uri: https://rubydoc.info/gems/jwt-pq
   rubygems_mfa_required: 'true'
 post_install_message: |
-  jwt-pq requires liboqs (shared library) to be installed on your system.
-  See https://github.com/marcelopazzo/jwt-pq#installing-liboqs for instructions.
-  For hybrid EdDSA+ML-DSA mode, also add 'jwt-eddsa' to your Gemfile.
+  jwt-pq compiles liboqs from source during installation.
+  If the build failed, ensure cmake and a C compiler are installed.
+  To use a system-installed liboqs instead:
+    gem install jwt-pq -- --use-system-libraries
+  For hybrid EdDSA+ML-DSA mode, add 'jwt-eddsa' to your Gemfile.
 rdoc_options: []
 require_paths:
 - lib
@@ -103,7 +108,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements:
-- liboqs >= 0.15.0 (shared library) — https://github.com/open-quantum-safe/liboqs
+- cmake >= 3.15
+- C compiler (gcc or clang)
 rubygems_version: 3.6.9
 specification_version: 4
 summary: Post-quantum JWT signatures (ML-DSA / FIPS 204) for Ruby