rubygems-openpgp 0.1.0

data.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQEcBAABAwAGBQJN4YzUAAoJEP5F5V2hilTWY/oH/3fdEbnj5IvbnX4TsLgTnhak
+tQuVDRfHG3LU62m2dPWnhnC10/pxVgnJYn4g2ldzIo9A9tgg9rx1UzH1lRNp29ky
+l8LaRkv2QJrniRFtOmihkQFOYw7dCcK8Pm5MzHVh/s6cKD6q2pRcrJnj88vFNrDz
+gR3dSWzqjdH5heSUJqfebc+dEOZZWBy6OFjPFtgn5TZJVpud8Vl4PlvjpHc63frN
+9K1oRe7h+DrFuVb3OBsWyddsjMhYya05yIah2kcwYQuzXycv1kun9VZYxLJlPj9z
+X6bKnEnqCiHsqLCEG/fQsj5FJDiDJZYyFR+JHMFmDScFVJrLcU6rqyG3aCn7g/w=
+=7S+s
+-----END PGP SIGNATURE-----

data/LICENSE

@@ -0,0 +1,31 @@
+Copyright (c) 2011, Grant T. Olson
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+      copyright notice, this list of conditions and the following
+      disclaimer in the documentation and/or other materials provided
+      with the distribution.
+
+    * Neither the name of the Grant T. Olson nor the names of
+      additional contributors may be used to endorse or promote
+      products derived from this software without specific prior
+      written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,262 @@
+rubygems-openpgp
+================
+
+This gem allows cryptographic signing of ruby gems with OpenPGP
+instead of the current method involving OpenSSL.  I think OpenPGP is a
+much better choice than X509 certificates for verifying open source
+components.
+
+My proposal as to why we should do so, and how to add certification
+infrastructure into place, follows.  Note this project doesn't attempt
+to address the issue of creating a ruby gem Signing Authority.
+
+Prerequisites
+-------------
+
+A working installation of gpg.
+
+An openpgp private key.
+
+Getting Started with gpg
+------------------------
+
+If you're unfamiliar with gpg, please read the [GNU Privacy
+Handbook](http://www.gnupg.org/gph/en/manual.html) .  If you're too
+lazy or impatient to do so, you can get started quickly by:
+
+1. Installing the appropriate gpg package for your OS if you don't
+already have one.
+
+1. Running `gpg --gen-key` to create your key.
+
+If you use this key for anything more than a few local tests, please:
+
+1. Publish your public key so others can retrieve it.
+   `gpg --keyserver pool.sks-keyservers.net --send-keys <your-new-key-id>`
+
+1. Backup your private key.  It's irretrievable if lost or corrupted.
+
+1. Generate a revocation certificate.  This allows you to invalidate a
+key if a malicious user gains access.
+
+1. Read the GNU Privacy Handbook above.
+
+Signing example
+---------------
+
+        gem build openpgp_signed_hola.gemspec
+        gem sign openpgp_signed_hola-0.0.0.gemspec
+        gem push opnepgp_signed_hola-0.0.0.gemspec
+
+Verification Example
+--------------------
+
+A test gem **openpgp_signed_hola** is on rubygems.org.  To try out
+this extension:
+
+        gem fetch openpgp_signed_hola
+        gem verify openpgp_signed_hola-0.0.0.gem
+        gem install openpgp_signed_hola-0.0.0.gem
+
+But That Just Failed!
+---------------------
+
+The first time you do this, the `gem verify` command will probably
+fail.  This is because you don't have my public key.  To automatically
+retrieve the key from the keyservers, run:
+
+        gem verify --get-key openpgp_signed_hola-0.0.0.gem
+
+The key will be automatically downloaded, and verification should now
+succeed.
+
+There are security implications here.  You've downloaded the key based
+on the information contained in the gem itself.  If a malicious user
+has tampered with the gem, they could easily provide a forged OpenPGP
+key as well.  This is why your output includes the following warning:
+
+        gpg: WARNING: This key is not certified with a trusted signature!
+        gpg:          There is no indication that the signature belongs to the owner.
+
+You still don't know if this key *really* belongs to me.  If possible,
+you should verify the key signature through an out-band-channel.  This
+may be the project page, a release email from the author, or some
+other means.
+
+For example, you can obtain the fingerprint on my key from [my
+personal website](http://www.grant-olson.net/openpgp-key).
+
+I've also included it right here in the README hosted on github:
+
+        pub   2048R/E3B5806F 2010-01-11 [expires: 2012-01-04]
+              Key fingerprint = A530 C31C D762 0D26 E2BA  C384 B6F6 FFD0 E3B5 806F
+        uid                  Grant T. Olson (Personal email) <kgo@grant-olson.net>
+        uid                  Grant T. Olson (pikimal) <grant@pikimal.com>
+        sub   2048R/6A8F7CF6 2010-01-11 [expires: 2012-01-04]
+        sub   2048R/A18A54D6 2010-03-01 [expires: 2012-01-04]
+        sub   2048R/D53982CE 2010-08-31 [expires: 2012-01-04]
+
+Even better would be obtaining the key fingerprint from me personally,
+but this can often be impractical.
+
+In any case, you should verify the key fingerprint listed in the
+message from one of these alternate sources.  If they match, the
+signature is (hopefully) valid, assuming an attacker hasn't managed to
+compromise rubygems, github, and my personal website.
+
+If the fingerprints DO NOT match, you probably want to delete the
+invalid key from your keyring:
+
+        gpg --delete-key <<KEY_ID>>
+
+If you feel confident that the key is valid based on your external
+fingerprint checks, you can make a signature on your gpg keyring.  I
+would advise making a local signature unless you've validated the
+fingerprint in person.  This means that you feel confident that the
+key is valid, but you're not making any representations to the outside
+world.  To do so, run:
+
+        gpg --lsign <<KEY_ID>>
+
+After this, you will no longer receive WARNINGs about untrusted
+sources for any gems signed by this key/author.
+
+Unfortunately, authentication is a hard problem.  See my proposal
+below for a potential solution to provide reasonable assurances about
+key validity without having to manually confirm everything.
+
+Motivation
+----------
+
+### Why we should sign gems with gpg
+
+Gems are currently signed via X509 certificates generated by OpenSSL.
+I don't think X509 signatures are the way to go.  I think we should use
+OpenPGP signatures instead.
+
+1. Self-signed X509 certificates are basically worthless.  There's no
+easy way to verify that the key is legitimate.  OpenPGP certificates
+are designed to be generated by you, and then signed by other people
+to validate their authenticity.
+
+2. Setting up an X509 CA will take some resources.  OpenPGP already
+has a dedicated pool of servers run by volunteers at
+pool.sks-keyservers.net.
+
+3. The current generation policy isn't so good.  Your private key
+isn't encrypted.  It's a strange file in a strange location that could
+easily be lost.  In gpg, all files are stored in ~/.gnupg.  Private
+keys are encrypted by default.
+
+4. gpg has better tooling and documentation than openssl.  There are
+plenty of things like Seahorse or GPA to examine your keys.  Policies
+are documented and explained.
+
+5. gpg allows the user to decide their default threat model and key
+verification model.  X509 assumes you trust the powers that be.
+
+6. The OpenPGP certificate will (optionally) be tied to the owner's
+real life id, if (for example) they sign release emails, use git's
+signing functionality on release tags, sign binary releases.  This
+makes it easier to verify that the key isn't forged.  (See trust model
+3 below.)
+
+The way I envision it, a gem maintainer would generate and publish a
+key with gpg if they didn't already have one.  He would put the key id
+in the gem configuration file.  When he builds the gem, gpg kicks in
+and signs it.
+
+An end user who wants to verify the key runs a command after fetching
+the gem.  If they have the key, we run gpg and verify the signature.
+If not, we provide the key id so they can download it manually with
+gpg.
+
+The code to implement this should be pretty simple.
+
+### Authenticating keys / Certificate authority
+
+With gpg, the user can determine their trust model.
+
+1. The current model.  The user doesn't care.  They don't check gpg
+sigs.  All is well.  I imagine this will still be the model used by a
+strong majority of users.
+
+2. The user uses the OpenPGP web of trust.  To be honest, this is a
+PITA.  It involves getting into the strong set by meeting people in
+person and exchanging key fingerprints to make sure that there's no
+man-in-the-middle attack.  And even if the user is in the strong set,
+there's no guarantee the gem maintainer is.
+
+3. Continuity model.  I downloaded the signing key for Ubuntu about four
+releases ago.  Even though I haven't done full verification, there
+haven't been any reports of problems, and the next three releases were
+signed by the same key.  If the key changed and gpg couldn't verify the
+next Ubuntu release, it would raise some eyebrows.  You can use the same
+philosophy with gems.
+
+4. Simulated CA.  Similar to the way a distributed source control system
+can be used as a centralized system, the OpenPGP web of trust can be
+setup to act as if there's a certificate authority.
+
+For an example of option 4, look at the PGP Corp Global Directory[1].
+You go to the website and submit your public key.  It sends you an email
+that you need to reply to.  If you reply, signs your key and
+publishes the information.  If another user trusts the Global Directory
+key, they will now trust your key.
+
+Technically, this is subject to a man-in-the-middle attack.  But it's
+the same policy that gets used when I forget my password at something
+like Amazon.  And Amazon has my credit card info.  I think the
+procedure is valid against all but the most exotic attacks as long as
+its limitations are known and documented.
+
+[For conciseness' sake, I'm just going to pretend we've agreed that
+rubygems.org is the Signing Authority.  It will probably be a more
+beta application, at least at first.  Right now I'm more concerned
+with presenting the model.]
+
+rubygems.org could:
+
+1. Allow gem publisher to upload a private key from their account page.
+
+2. Upon receipt of key, send an email to the gem publisher's email
+containing an encrypted token.
+
+3. The gem publisher decrypts the token,
+
+4. The gem publisher posts the decrypted token onto a form at the
+website and submits.  This establishes the gem publisher has control of
+(a) the email address, and (b) the OpenPGP key.  (Excluding a possible
+mitm at the network level.)
+
+5. rubygems.org signs the key with it's own signing key, possibly with a
+6 month or 1 year expiration date.
+
+6. The new signature is submitted to the keyservers at
+pool.sks-keyservers.net, making the verification available world-wide.
+
+Now an unrelated gem user can configure gpg to trust the rubygems
+signing key.  When they download the gem from above and retrieve the gem
+publisher's key, they will see that the key is valid because it's
+trusted by rubygems.  If it's not trusted, it's up to User B to
+investigate and determine if they trust the gem or not.
+
+Note that the relationship between these keys isn't contained in the
+gem.  It's contained on the keyservers.  If another website or mirror
+provides the same gem with the same signature, it will still show up as
+valid, assuming the gem user trusts the rubygems.org signing key.
+
+### In the year 2038
+
+Assuming all goes well, most people are signing their gems, and the
+community likes the feature, we could configure a keyring for use by
+gems only, similar to the way apt-get maintains its own keyring.
+
+This keyring would automatically include the rubygems.org signing key on
+installation.  When downloading a new gem, verification will happen
+automatically.  If the key isn't on the gem keyring it will be
+downloaded automatically.  If the key isn't trusted, the user will
+receive a warning and asked if they want to continue.  If the signature
+check fails, the gem will not be installed.
+
+[1] https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

data/lib/rubygems/commands/sbuild_command.rb

@@ -0,0 +1,33 @@
+require "rubygems/command"
+require 'rubygems/version_option'
+
+class Gem::Commands::SbuildCommand < Gem::Command
+
+  include Gem::VersionOption
+
+  def initialize
+    super 'sbuild', 'Build your gem, then sign it with OpenPGP'
+
+    add_version_option
+
+  end
+
+  def arguments
+    "GEMNAME        name of gem to build"
+  end
+  
+  def defaults_str
+    ""
+  end
+
+  def usage
+    "blah blah"
+  end
+
+  def execute
+    version = options[:version] || Gem::Requirement.default
+
+    raise "Not implemented yet"
+  end
+
+end

data/lib/rubygems/commands/sign_command.rb

@@ -0,0 +1,71 @@
+require "rubygems/command"
+require "rubygems/package"
+require 'rubygems/version_option'
+require "rubygems/gem_openpgp"
+require 'fileutils'
+
+class Gem::Commands::SignCommand < Gem::Command
+
+  include Gem::VersionOption
+
+  def initialize
+    super 'sign', 'Sign existing gem with your OpenPGP key', :key => nil
+
+    add_version_option
+
+    add_option('--key KEY', "Specify key id if you don't want to use your default gpg key") do |key, options|
+      options[:key] = key
+    end
+  end
+
+  def arguments
+    "GEMNAME        name of gem to sign"
+  end
+  
+  def defaults_str
+    ""
+  end
+
+  def usage
+    "blah blah"
+  end
+
+  def execute
+    version = options[:version] || Gem::Requirement.default
+    gem, specs = get_one_gem_name, []
+
+    unsigned_gem = gem + ".unsigned"
+    FileUtils.mv gem, unsigned_gem
+    
+    unsigned_gem_file = File.open(unsigned_gem, "r")
+    signed_gem_file = File.open(gem, "w")
+
+    signed_gem = Gem::Package::TarWriter.new(signed_gem_file)
+
+    Gem::Package::TarReader.new(unsigned_gem_file).each do |f|
+      say f.full_name.inspect
+      
+      if f.full_name[-4..-1] == ".asc"
+        say "Skipping old signature file #{f.full_name}"
+        next
+      end
+      
+      say "Signing #{f.full_name.inspect}..."
+
+      file_contents = f.read()
+
+      signed_gem.add_file(f.full_name, 0644) do |outfile|
+        outfile.write(file_contents)
+      end
+
+      signed_gem.add_file(f.full_name + ".asc", 0644) do |outfile|
+        outfile.write(Gem::OpenPGP.detach_sign(file_contents,options[:key]))
+      end
+
+    end
+  rescue Exception => ex
+    FileUtils.mv unsigned_gem_file, gem
+    raise
+  end
+
+end

data/lib/rubygems/commands/verify_command.rb

@@ -0,0 +1,59 @@
+require "rubygems/command"
+require "rubygems/package"
+require 'rubygems/version_option'
+require "rubygems/gem_openpgp"
+
+class Gem::Commands::VerifyCommand < Gem::Command
+
+  include Gem::VersionOption
+
+  def initialize
+    super 'verify', 'Verify gem with your OpenPGP key'
+
+    add_version_option
+
+    add_option('--get-key', "If the key is not available, download it from a keyserver") do |key, options|
+      options[:get_key] = true
+    end
+
+  end
+
+  def arguments
+    "GEMNAME        name of gem to verify"
+  end
+  
+  def defaults_str
+    ""
+  end
+
+  def usage
+    "blah blah"
+  end
+
+  def execute
+    version = options[:version] || Gem::Requirement.default
+    gem, specs = get_one_gem_name, []
+
+    file = File.open(gem,"r")
+
+    tar_files = {}
+
+    Gem::Package::TarReader.new(file).each do |f|
+      tar_files[f.full_name] = f.read()
+    end
+    
+    tar_files.keys.each do |file_name|
+      next if file_name[-4..-1] == ".asc"
+      say "Verifying #{file_name}..."
+
+      sig_file_name = file_name + ".asc"
+      if !tar_files.has_key? sig_file_name
+        say "WARNING!!! No sig found for #{file_name}"
+        next
+      end
+      
+      Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], options[:get_key])
+    end
+  end
+
+end

data/lib/rubygems/commands/vinstall_command.rb

@@ -0,0 +1,33 @@
+require "rubygems/command"
+require 'rubygems/version_option'
+
+class Gem::Commands::VinstallCommand < Gem::Command
+
+  include Gem::VersionOption
+
+  def initialize
+    super 'vinstall', 'verify gem with GPG, and only install if sig check passes'
+
+    add_version_option
+
+  end
+
+  def arguments
+    "GEMNAME        name of gem to build"
+  end
+  
+  def defaults_str
+    ""
+  end
+
+  def usage
+    "blah blah"
+  end
+
+  def execute
+    version = options[:version] || Gem::Requirement.default
+
+    puts "Not implemented yet."
+  end
+
+end

data/lib/rubygems/gem_openpgp.rb

@@ -0,0 +1,60 @@
+require 'open3'
+require 'tempfile'
+
+module Gem::OpenPGP
+  def self.openpgp_available?
+    `gpg --version`
+    $? == 0
+  rescue
+    false
+  end
+
+  def self.detach_sign data, key_id=nil
+    key_flag = ""
+    key_flag = "-u #{key_id}" if key_id
+    cmd = "gpg #{key_flag} --detach-sign --armor"
+    exit_status = nil
+    sig,err = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+      stdin.write data
+      stdin.close
+      exit_status = wait_thr.value
+      [stdout.read(), stderr.read()]
+    end
+
+    raise "gpg error #{err}" if exit_status != 0
+
+    sig
+  end
+
+  def self.verify data, sig, get_key=false
+    data_file = Tempfile.new("rubygems_data")
+    data_file.write(data)
+    data_file.close
+
+    sig_file = Tempfile.new("rubygems_sig")
+    sig_file.write(sig)
+    sig_file.close
+
+    get_key_params = "--keyserver pool.sks-keyservers.net --keyserver-options auto-key-retrieve"
+    get_key_params = "" if get_key != true
+
+    cmd = "gpg #{get_key_params} --verify #{sig_file.path} #{data_file.path}"
+    exit_status = nil
+    res, err = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+      stdin.close
+      exit_status = wait_thr.value
+      [ stdout.read(), stderr.read() ]
+    end
+
+    color_code = if exit_status == 0
+                   "32"
+                 else
+                   "31"
+                 end
+    
+    puts "\033[#{color_code}m#{err}\033[0m"
+    puts "\033[37m #{res} \033[0m"
+
+    raise "gpg encountered errors! #{err}" if exit_status != 0
+  end
+end

data/lib/rubygems_plugin.rb

@@ -0,0 +1,6 @@
+require 'rubygems/command_manager'
+
+Gem::CommandManager.instance.register_command :sign
+Gem::CommandManager.instance.register_command :verify
+Gem::CommandManager.instance.register_command :vinstall
+Gem::CommandManager.instance.register_command :sbuild

metadata

@@ -0,0 +1,56 @@
+--- !ruby/object:Gem::Specification
+name: rubygems-openpgp
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Grant Olson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2010-05-27 00:00:00.000000000 -04:00
+default_executable: 
+dependencies: []
+description: Digitally sign gems via OpenPGP instead of OpenSSL
+email: kgo@grant-olson.net
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.md
+files:
+- LICENSE
+- lib/rubygems_plugin.rb
+- lib/rubygems/commands/verify_command.rb
+- lib/rubygems/commands/vinstall_command.rb
+- lib/rubygems/commands/sbuild_command.rb
+- lib/rubygems/commands/sign_command.rb
+- lib/rubygems/gem_openpgp.rb
+- README.md
+has_rdoc: true
+homepage: https://github.com/grant-olson/rubygems-openpgp
+licenses:
+- BSD 3 Clause
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: Sign gems via OpenPGP
+test_files: []

metadata.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQEcBAABAwAGBQJN4YzYAAoJEP5F5V2hilTWyxUH/2+P4ieweDXKgi+8wvxQlwPC
+SicpO2/uYz39KK4qlqW5rJxxgjaBaAiGdofAdwhM6+HOOOeanx6tYK+bq9vxBFLF
+mfAvyYFWbfv41pxjWlgBpjLoU+x9J8ewcyv8jtrLop2qT8TOc4C9/9N9zpVDTLk2
+YX7QEwCTuvM3G4IrN0YRZ//pm70yR321NV36qbycb6q7JKEpyyutksnE9ketjc6i
+N0XEaUOL7xzGHSLMgnzR8DPvtauWraERdVatmQYsnmn5I+4+yRAOd/gYVy+T+V23
+mKqjpox3R6aav1PN1tNelvWPBpk574bEZVfFwuCZVMqYvsTEFegLUl/6yAacF2s=
+=/mom
+-----END PGP SIGNATURE-----