rubygems-openpgp 0.1.1 → 0.2.0

data.tar.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
-iQEcBAABAwAGBQJN4Z7TAAoJEP5F5V2hilTWz3sH/0GfYeacn9CWk245JoAXyRkM
-Vh+L0he3j09cw8ISkXd/LtbemzGE1ylV2o+CSScHW+hoNGFkcw2/JidxIvDJ4g+x
-Tnx9qPhDQXkVL7IH9yqFCcmyPZLFGLhj7JRwRgmaiMVbUvTyE1zwQgYFFp/Do5h6
-azlQEHFUfvOdBTRNrZELqhTTH1lMlIPB6ONGDYe+TdQ6xwpHM2K8rzjf7ohOaTmy
-/MnTWy5zkWOmG3Hc8Icw2tOICUvJjboa0EDURR89DXGu+ViJVXE+1h2wGbuHx4Bp
-JvZOhFpK0sEnJlLInTJjIz+Fry/yzSFW+aNBRjlVgwuvGzi+7FInkeHpNPq4gt8=
-=Z196
+iQEcBAABAwAGBQJN5CnTAAoJEP5F5V2hilTW8WYIALAGfV7qJwhYHLi4SyU3tTUD
+siDF6Ja3TisluSv41YKB0nisuXwjcGuzAbHLglAm7OdjIBEcauFvQPDUVdKPPvzx
+06cPaSBKj2wCgrcolr7d/Xb9o9gLKpIJXJzd2PZpPxvZOH9Oz55DRYekENhk22Bi
+Cl/mSwhpRzIqFPvyhDuEXnPs5oaErtvWczu/6HRAz+Au5Vy2dXG20F1x2/PwQcAp
+O1Xnp0LD60Tq1hbWfesJ20WSW0r3x5iBuADxvUo9/WnTwt4P2xEy3A7JItAONfuV
+0KlDcCgGdxvD0Fcq1LfyilMqojg/GFZomSM8KJYvjcFczav1hisXyYDTLgd82+s=
+=sV5A
 -----END PGP SIGNATURE-----

data/Rakefile

@@ -0,0 +1,8 @@
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+end
+
+desc "Run tests"
+task :default => :test

data/lib/rubygems/commands/sbuild_command.rb

@@ -1,30 +1,32 @@
 require "rubygems/command"
 require 'rubygems/version_option'
 
-class Gem::Commands::SbuildCommand < Gem::Command
+# currently unimplemented.
+# This will build and sign with a single command.
+class Gem::Commands::SbuildCommand < Gem::Command # :nodoc:
 
   include Gem::VersionOption
 
-  def initialize
+  def initialize # :nodoc:
     super 'sbuild', 'Build your gem, then sign it with OpenPGP'
 
     add_version_option
 
   end
 
-  def arguments
+  def arguments # :nodoc:
     "GEMNAME        name of gem to build"
   end
   
-  def defaults_str
+  def defaults_str # :nodoc:
     ""
   end
 
-  def usage
+  def usage # :nodoc:
     "blah blah"
   end
 
-  def execute
+  def execute # :nodoc:
     version = options[:version] || Gem::Requirement.default
 
     raise "Not implemented yet"

data/lib/rubygems/commands/sign_command.rb

@@ -4,12 +4,17 @@ require 'rubygems/version_option'
 require "rubygems/gem_openpgp"
 require 'fileutils'
 
+# CLI interface to the internal signing code:
+#
+#   gem sign gemname-0.0.0.gem
+#
+#   gem sign -key 0xDEADBEEF gemname-0.0.0.gem
 class Gem::Commands::SignCommand < Gem::Command
 
   include Gem::VersionOption
 
-  def initialize
-    super 'sign', 'Sign existing gem with your OpenPGP key', :key => nil
+  def initialize # :nodoc:
+    super 'sign', 'Signs an existing gem with your OpenPGP key.  This allows third parties to verify the key later via the \'gem verify\' command.', :key => nil
 
     add_version_option
 
@@ -18,54 +23,23 @@ class Gem::Commands::SignCommand < Gem::Command
     end
   end
 
-  def arguments
+  def arguments # :nodoc:
     "GEMNAME        name of gem to sign"
   end
   
-  def defaults_str
+  def defaults_str # :nodoc:
     ""
   end
 
-  def usage
-    "blah blah"
+  def usage # :nodoc:
+    "gem sign GEMNAME"
   end
 
-  def execute
+  def execute  # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-
-    unsigned_gem = gem + ".unsigned"
-    FileUtils.mv gem, unsigned_gem
-    
-    unsigned_gem_file = File.open(unsigned_gem, "r")
-    signed_gem_file = File.open(gem, "w")
-
-    signed_gem = Gem::Package::TarWriter.new(signed_gem_file)
-
-    Gem::Package::TarReader.new(unsigned_gem_file).each do |f|
-      say f.full_name.inspect
-      
-      if f.full_name[-4..-1] == ".asc"
-        say "Skipping old signature file #{f.full_name}"
-        next
-      end
-      
-      say "Signing #{f.full_name.inspect}..."
-
-      file_contents = f.read()
-
-      signed_gem.add_file(f.full_name, 0644) do |outfile|
-        outfile.write(file_contents)
-      end
-
-      signed_gem.add_file(f.full_name + ".asc", 0644) do |outfile|
-        outfile.write(Gem::OpenPGP.detach_sign(file_contents,options[:key]))
-      end
-
-    end
-  rescue Exception => ex
-    FileUtils.mv unsigned_gem_file, gem
-    raise
+    output = Gem::OpenPGP.sign_gem gem, key=options[:key]
+    say output.join("\n")
   end
-
+  
 end

data/lib/rubygems/commands/verify_command.rb

@@ -1,14 +1,20 @@
-require "rubygems/command"
-require "rubygems/package"
+require 'rubygems/command'
+require 'rubygems/package'
 require 'rubygems/version_option'
-require "rubygems/gem_openpgp"
-
+require 'rubygems/gem_openpgp'
+
+# Verifies a gem signed by the 'sign' command.  Iterates through the
+# gem contents and verifies all embedded files, if possible.  Errors
+# out if the signature is bad or the key is unknown.
+#
+# Optionally takes "--get-key" which automatically retreives the key
+# from keyservers to make things easier for people unfamiliar with gpg.
 class Gem::Commands::VerifyCommand < Gem::Command
 
   include Gem::VersionOption
 
-  def initialize
-    super 'verify', 'Verify gem with your OpenPGP key'
+  def initialize # :nodoc:
+    super 'verify', 'Verifies a local gem that has been signed via OpenPGP.  This helps to ensure the gem has not been tampered with in transit.'
 
     add_version_option
 
@@ -18,42 +24,23 @@ class Gem::Commands::VerifyCommand < Gem::Command
 
   end
 
-  def arguments
+  def arguments # :nodoc:
     "GEMNAME        name of gem to verify"
   end
   
-  def defaults_str
+  def defaults_str # :nodoc:
     ""
   end
 
-  def usage
-    "blah blah"
+  def usage # :nodoc:
+    "gem verify GEMNAME"
   end
 
-  def execute
+  def execute # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-
-    file = File.open(gem,"r")
-
-    tar_files = {}
-
-    Gem::Package::TarReader.new(file).each do |f|
-      tar_files[f.full_name] = f.read()
-    end
-    
-    tar_files.keys.each do |file_name|
-      next if file_name[-4..-1] == ".asc"
-      say "Verifying #{file_name}..."
-
-      sig_file_name = file_name + ".asc"
-      if !tar_files.has_key? sig_file_name
-        say "WARNING!!! No sig found for #{file_name}"
-        next
-      end
-      
-      Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], options[:get_key])
-    end
+    output = Gem::OpenPGP.verify_gem gem, get_key=options[:get_key]
+    say output.join("\n")
   end
-
+  
 end

data/lib/rubygems/commands/vinstall_command.rb

@@ -1,30 +1,34 @@
 require "rubygems/command"
 require 'rubygems/version_option'
 
-class Gem::Commands::VinstallCommand < Gem::Command
+# Currently unimplemented.
+# This will fetch, verify and install a gem.  Ideally it will do the
+# same with any dependencies that are downloaded, but this might be 
+# difficult in a gem.
+class Gem::Commands::VinstallCommand < Gem::Command # :nodoc:
 
   include Gem::VersionOption
 
-  def initialize
+  def initialize # :nodoc:
     super 'vinstall', 'verify gem with GPG, and only install if sig check passes'
 
     add_version_option
 
   end
 
-  def arguments
+  def arguments # :nodoc:
     "GEMNAME        name of gem to build"
   end
   
-  def defaults_str
+  def defaults_str # :nodoc:
     ""
   end
 
-  def usage
+  def usage # :nodoc:
     "blah blah"
   end
 
-  def execute
+  def execute # :nodoc:
     version = options[:version] || Gem::Requirement.default
 
     puts "Not implemented yet."

data/lib/rubygems/gem_openpgp.rb

@@ -1,62 +1,213 @@
+require 'rubygems'
+require 'rubygems/package'
 require 'open3'
 require 'tempfile'
 
+# Exception for this class
+class Gem::OpenPGPException < RuntimeError; end
+
+# A wrapper that shells out the real OpenPGP crypto work
+# to gpg.
 module Gem::OpenPGP
-  def self.openpgp_available?
-    `gpg --version`
-    $? == 0
-  rescue
-    false
-  end
 
-  def self.detach_sign data, key_id=nil
+  # Given a string of data, generate and return a detached
+  # signature.  By defualt, this will use your primary secret key.
+  # This can be overridden by specifying a key_id for another 
+  # private key.
+  def self.detach_sign data, key_id=nil, homedir=nil
+    is_gpg_available
+    is_key_valid key_id if key_id
+    is_homedir_valid homedir if homedir
+
     key_flag = ""
     key_flag = "-u #{key_id}" if key_id
-    cmd = "gpg #{key_flag} --detach-sign --armor"
-    exit_status = nil
-    sig,err = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
-      stdin.write data
-      stdin.close
-      exit_status = wait_thr.value
-      [stdout.read(), stderr.read()]
-    end
 
-    raise "gpg error #{err}" if exit_status != 0
+    homedir_flag = ""
+    homedir_flag = "--homedir #{homedir}" if homedir
 
+    cmd = "gpg #{key_flag} #{homedir_flag} --detach-sign --armor"
+    sig, err = run_gpg_command cmd, data
     sig
   end
 
-  def self.verify data, sig, get_key=false
-    data_file = Tempfile.new("rubygems_data")
-    data_file.binmode
-    data_file.write(data)
-    data_file.close
+  # Given a string containing data, and a string containing
+  # a detached signature, verify the data.  If we can't verify
+  # then raise an exception.
+  #
+  # Optionally tell gpg to retrive the key if it's not provided
+  def self.verify data, sig, get_key=false, homedir=nil
+    is_gpg_available
+    is_homedir_valid homedir if homedir
 
-    sig_file = Tempfile.new("rubygems_sig")
-    sig_file.binmode
-    sig_file.write(sig)
-    sig_file.close
+    data_file = create_tempfile data
+    sig_file = create_tempfile sig
 
     get_key_params = "--keyserver pool.sks-keyservers.net --keyserver-options auto-key-retrieve"
     get_key_params = "" if get_key != true
 
-    cmd = "gpg #{get_key_params} --verify #{sig_file.path} #{data_file.path}"
+    homedir_flags = ""
+    homedir_flags = "--homedir #{homedir}" if homedir
+ 
+    cmd = "gpg #{get_key_params} #{homedir_flags} --verify #{sig_file.path} #{data_file.path}"
+    res, err = run_gpg_command cmd
+    [err, res]
+  end
+
+  # Signs an existing gemfile by iterating the tar'ed up contents,
+  # and signing any contents. creating a new file with original contents
+  # and OpenPGP sigs.  The OpenPGP sigs are saved as .asc files so they 
+  # won't conflict with X509 sigs.
+  #
+  # Optional param "key" allows you to use a different private
+  # key than the GPG default.
+  def self.sign_gem gem, key=nil, homedir=nil
+    output = []
+
+    unsigned_gem = gem + ".unsigned"
+
+    begin
+      FileUtils.mv gem, unsigned_gem
+    rescue Errno::ENOENT => ex
+      raise Gem::CommandLineError, "The gem #{gem} does not seem to exist. (#{ex.message})"
+    end
+
+    unsigned_gem_file = File.open(unsigned_gem, "r")
+    signed_gem_file = File.open(gem, "w")
+
+    signed_gem = Gem::Package::TarWriter.new(signed_gem_file)
+
+    Gem::Package::TarReader.new(unsigned_gem_file).each do |f|
+      output << f.full_name.inspect
+      
+      if f.full_name[-4..-1] == ".asc"
+        output << "Skipping old signature file #{f.full_name}"
+        next
+      end
+      
+      output << "Signing #{f.full_name.inspect}..."
+
+      file_contents = f.read()
+
+      signed_gem.add_file(f.full_name, 0644) do |outfile|
+        outfile.write(file_contents)
+      end
+
+      signed_gem.add_file(f.full_name + ".asc", 0644) do |outfile|
+        outfile.write(Gem::OpenPGP.detach_sign(file_contents,key,homedir))
+      end
+
+    end
+    
+    signed_gem_file.close
+    unsigned_gem_file.close
+    File.delete unsigned_gem_file
+
+    output
+  rescue Exception => ex
+    if unsigned_gem_file
+      FileUtils.mv unsigned_gem_file, gem
+    end
+    
+    raise
+  end
+
+  def self.verify_gem gem, get_key=false, homedir=nil
+    output =[]
+
+    begin
+      file = File.open(gem,"r")
+    rescue Errno::ENOENT => ex
+      raise Gem::CommandLineError, "Gem #{gem} not found.  Note you can only verify local gems at this time, so you may need to run 'gem fetch #{gem}' before verifying."  
+    end
+    
+    tar_files = {}
+
+    Gem::Package::TarReader.new(file).each do |f|
+      tar_files[f.full_name] = f.read()
+    end
+    
+    tar_files.keys.each do |file_name|
+      next if file_name[-4..-1] == ".asc"
+      output << "Verifying #{file_name}..."
+
+      sig_file_name = file_name + ".asc"
+      if !tar_files.has_key? sig_file_name
+        output << "WARNING!!! No sig found for #{file_name}"
+        next
+      end
+      
+      begin
+        err, res = Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
+
+        output << add_color(err, :green)
+        output << add_color(res, :green)
+      rescue Gem::OpenPGPException => ex
+        color_code = "31"
+        output << add_color(ex.message, :red)
+      end
+    end
+
+    file.close
+    
+    output
+  end
+
+private
+
+  # Tests to see if gpg is installed and available.
+  def self.is_gpg_available
+    err_msg = "Unable to find a working gnupg installation.  Make sure gnupg is installed and you can call 'gpg --version' from a command prompt."
+    `gpg --version`
+    raise Gem::OpenPGPException, err_msg if $? != 0
+  rescue Errno::ENOENT => ex
+    raise Gem::OpenPGPException, err_msg if $? != 0
+  end
+
+  def self.is_key_valid key_id
+    valid = /^0x[A-Za-z0-9]{8,8}/.match(key_id)
+    if valid.nil?
+      err_msg = "Invalid key id.  Keys should be in form of 0xDEADBEEF"
+      raise Gem::OpenPGPException, err_msg
+    end
+  end
+ 
+  def self.is_homedir_valid homedir
+    if !File.exists? homedir
+      raise OpenPGPException, "Bad homedir #{homedir.inspect}"
+    end
+  end
+  
+  def self.run_gpg_command cmd, data=nil
     exit_status = nil
-    res, err = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+    stdout, stderr = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+      stdin.write data if data
       stdin.close
       exit_status = wait_thr.value
-      [ stdout.read(), stderr.read() ]
+      out = stdout.read()
+      err = stderr.read()
+      raise Gem::OpenPGPException, "#{err}" if exit_status != 0
+      [out,err]
     end
+    [stdout, stderr]
+  end
 
-    color_code = if exit_status == 0
-                   "32"
-                 else
-                   "31"
+  def self.create_tempfile data
+    temp_file = Tempfile.new("rubygems_gpg")
+    temp_file.binmode
+    temp_file.write(data)
+    temp_file.close
+    temp_file
+  end
+
+  def self.add_color s, color=:green
+    color_code = case color
+                 when :green then "32"
+                 when :red then "31"
+                 else raise RuntimeError, "Invalid color #{color.inspect}"
                  end
     
-    puts "\033[#{color_code}m#{err}\033[0m"
-    puts "\033[37m #{res} \033[0m"
-
-    raise "gpg encountered errors! #{err}" if exit_status != 0
+    #TODO - NO-OP on windows
+    "\033[#{color_code}m#{s}\033[0m"
   end
+  
 end

data/lib/rubygems_plugin.rb

@@ -2,5 +2,5 @@ require 'rubygems/command_manager'
 
 Gem::CommandManager.instance.register_command :sign
 Gem::CommandManager.instance.register_command :verify
-Gem::CommandManager.instance.register_command :vinstall
-Gem::CommandManager.instance.register_command :sbuild
+#Gem::CommandManager.instance.register_command :vinstall
+#Gem::CommandManager.instance.register_command :sbuild

data/test/pablo_escobar_pubkey.asc

@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+mQENBE3iyn0BCADgFkThsahECiM8Po0vIr8A7U6sI7qIQ2tG4Uq0HIx4sMtgffG7
+F9TGTlLBgSZuog6BnxAg7A7q4IYg1Xnvuf8kl4Ade7AE5vhjXdoWUkuvZanJduXh
+yxdQ7EqnLgqGHXfZXxB+OlWCPofpb5L4OLURYLTUQHuCrfQ2fEzXCu/wsTd8JbwY
+k/EgpwCRWMhtH9vbMbmca8AvrsLK/fv0H4fNQiVJf0ZaKPM0fHy4II4fXQy9pmaf
+qFF4og5IMIy2CYoPQxGGN1e37sSbJUlaxkJBUQAK5mQ1jqwKe/2+p9qJPcMDWH6h
+M1FcOgD7wlb9f7lDNyW+Wp/pdxz0afZ3po3hABEBAAG0RlBhYmxvIEVzY29iYXIg
+KElOU0VDVVJFIHJ1YnlnZW1zLW9wZW5wZ3AgdGVzdCBrZXkpIDxwYWJsb0BleGFt
+cGxlLm9yZz6JATcEEwEIACEFAk3iyn0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgEC
+F4AACgkQVd0SUQAeGtZdgwf+IxeO4kW7LrxtvL9s4YvrydRXVYbfyHoVYNp+g4cZ
+apFtKtC9Zt7ZfEPXiaWAT1uJ8vXc4tqfnVuGy99yVn/Xif5cMmhQs5uMtvUYKxPW
+EpiGOa+L5F3NevErTgzbFWRtAn/oQ7C5kk52WyyS1lndcYnHRmZpBFDVCa9cW0zK
+KZJNCydiLoBNtN1HzaKbRNd8XPBV2guYdZCU9Q+y9jyUoblslHAuuaRvq76XtgdR
+rI4L1H4Ply2I1cdNbv/8NAb9+l5s2X6CCflZheKD1pHPcWiJQ7FfYekefd2wPBWo
+ZSdXMotgr1pV4Mj5iysfhhChJ4lzx1198+Q8aftkcWNdZbkBDQRN4sp9AQgAtMJH
+aSLF62nvFjSFmiIbv/GyoVD4XZKfI8/9G9DO+ODPNf9X6PuyXfPsHkxMW7lKgvMQ
+3DOn/RZWgSIB3YqX8mJA/LOVqA7e8cy6TFI10zD6tln5CMbnpVwfTUTn9m/CEnPF
+l6OuaWzmvOGf3P9oPSjUCukPvzkJb46tCOluLtqGxKrom+hGczjZfYvbbmjeTu7Q
+NNcmtcNYP1LFiR3I1iaFDjRUgdC37WFTeF5agVVdpEIyUmggB86NHiT3r7a189iB
+KcaGU3JN+ZqzaeQ5TrN/Os7IaCDLczTOe2mdBYho8l6bEhc5Tdy1JJPAjaagl8ES
+H0Bx0S7MPnu9sThmiwARAQABiQEfBBgBCAAJBQJN4sp9AhsMAAoJEFXdElEAHhrW
+km0H/RZQ/iRuE5K8u1t8J6VBzyQYRk20i4Yjsu4kWm1fbNEQoLqy75cH8wWDmVR3
+tSaUuQOQslGOVUZAZkB9feGZAzdoU+3Ui0H5dXuwRdr5/CW0k81i8K3lKZ3hP2Lf
+bGhOLNX7akLMcB1yCf7oqmZaGeSpgMApcrwVlQFXgAAw64Cxp2vabxmKCcgoXUmX
+dyVfOg3lUIsXvCjKUMIBmlYoIFwPhIgJW7SYzFThKv73gnXyJPy4U20VvpWv6wcr
+duJNyknchgtvThLgD84AOR0BA5/w86xypFhaqjJhxkFjAo31qvsecFRbwz4KW5pJ
+f4mUC5J7S/QpAFMTy3GTplonqYU=
+=0O9l
+-----END PGP PUBLIC KEY BLOCK-----

data/test/pablo_escobar_seckey.asc

@@ -0,0 +1,58 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+lQOYBE3iyn0BCADgFkThsahECiM8Po0vIr8A7U6sI7qIQ2tG4Uq0HIx4sMtgffG7
+F9TGTlLBgSZuog6BnxAg7A7q4IYg1Xnvuf8kl4Ade7AE5vhjXdoWUkuvZanJduXh
+yxdQ7EqnLgqGHXfZXxB+OlWCPofpb5L4OLURYLTUQHuCrfQ2fEzXCu/wsTd8JbwY
+k/EgpwCRWMhtH9vbMbmca8AvrsLK/fv0H4fNQiVJf0ZaKPM0fHy4II4fXQy9pmaf
+qFF4og5IMIy2CYoPQxGGN1e37sSbJUlaxkJBUQAK5mQ1jqwKe/2+p9qJPcMDWH6h
+M1FcOgD7wlb9f7lDNyW+Wp/pdxz0afZ3po3hABEBAAEAB/oDTfLDtwNnpvRecF/z
+va3+QxGbnl6DIUbjBYIc8jWUV0uVe3/5wcQFjVzBLaDR5XYELXK/AIonBqr1r543
+5bjUat9E2AjIRrlrmjQDy6CB+HRitBwXWn/IVcazTM2TDRrSB9nJ+b1ecYJ+s9Jx
+koEBjcj23xFPM9ZfyhEWQ/sWNBjAOfuu7ApmebkGeA/synJxJz7qgzvmF41n/LOj
++JWps4PvCEwQQuaaJBJpa+oxzamTAj51JKOU532W9UWlcPeL87le/tnFOaoeMEjp
+knaMdWai2ZlOTDPBXkXl99u/HpLtuEo0NMMZvxeLuoMWCt0Bt7SVvsgCELv7+Iln
+7oCBBADsFTZq8M+ah7sxped2KQlDySe65CgrQvW/7Jy7gyT/fkrS+YPlfgEjoUx+
+Bd692fVhLwHO+fzOK73ddwp5Sl8TC2WjFaKST1OL0a7vnrAHMebmWpMChtz308/B
+1soQXp0CUsfx3W/y+ubuQTFn/D70lTK6rhPwjhh+f6CvnvdAIQQA8v3564Mgv9If
+FLeZrdMUh3SDEIxJGgdOtTZT+TCRM/sltTQGR5jdwq8BKVypH4gL1dP+N44Rs3dB
+M7HYc69QvImDYeYNCy/nZx2Owolo7WKi8aPyMRX7k+lROSSsad5BLkbIS94cuJby
+aPtIjT7z52icBVvWoq7LqGsDSYlslcED/3EdB/o4OUhrSVoKh4889BTS1rK6Nz4U
+agLA7RB26iP0lLqA2iL6SVHscvVrbIv2F/BmIe90QdTXlydoquEnmhZ16JHXo+B7
+2cfJt66cEm1SjCbOWd0bk8sQvnLjrRaGY8yQmhQ6Vai5w5cUZvjnZX1wXsG0e5xV
+druifcEqhiZ8TVm0RlBhYmxvIEVzY29iYXIgKElOU0VDVVJFIHJ1YnlnZW1zLW9w
+ZW5wZ3AgdGVzdCBrZXkpIDxwYWJsb0BleGFtcGxlLm9yZz6JATcEEwEIACEFAk3i
+yn0CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQVd0SUQAeGtZdgwf+IxeO
+4kW7LrxtvL9s4YvrydRXVYbfyHoVYNp+g4cZapFtKtC9Zt7ZfEPXiaWAT1uJ8vXc
+4tqfnVuGy99yVn/Xif5cMmhQs5uMtvUYKxPWEpiGOa+L5F3NevErTgzbFWRtAn/o
+Q7C5kk52WyyS1lndcYnHRmZpBFDVCa9cW0zKKZJNCydiLoBNtN1HzaKbRNd8XPBV
+2guYdZCU9Q+y9jyUoblslHAuuaRvq76XtgdRrI4L1H4Ply2I1cdNbv/8NAb9+l5s
+2X6CCflZheKD1pHPcWiJQ7FfYekefd2wPBWoZSdXMotgr1pV4Mj5iysfhhChJ4lz
+x1198+Q8aftkcWNdZZ0DmARN4sp9AQgAtMJHaSLF62nvFjSFmiIbv/GyoVD4XZKf
+I8/9G9DO+ODPNf9X6PuyXfPsHkxMW7lKgvMQ3DOn/RZWgSIB3YqX8mJA/LOVqA7e
+8cy6TFI10zD6tln5CMbnpVwfTUTn9m/CEnPFl6OuaWzmvOGf3P9oPSjUCukPvzkJ
+b46tCOluLtqGxKrom+hGczjZfYvbbmjeTu7QNNcmtcNYP1LFiR3I1iaFDjRUgdC3
+7WFTeF5agVVdpEIyUmggB86NHiT3r7a189iBKcaGU3JN+ZqzaeQ5TrN/Os7IaCDL
+czTOe2mdBYho8l6bEhc5Tdy1JJPAjaagl8ESH0Bx0S7MPnu9sThmiwARAQABAAf+
+Palyu9pJYwvRrCUBmHlfNwTH94DMIPuV/x0CDn2WRU9HUHfJMOi/yY4es506hSW5
+1d7+FugmO89ldgq4US9osx4yZiILAPgFtL2upb97rg4s0Izzx7s2pXG+GdlSOf6Y
+2TuWIasMIdmtAq0DIFweXpKxdwFXRle6MMyemYYr+J4vfmSro2VT41Ym4/fbzHdp
+xmOfFFWNmHnM119a/kWf8k9p7ELWioXx0haRhgZyexInScQMRELRtAdt41WnTfVL
+YareLFVXzJlqyqqjdCHaJ1xJdDDBEgKXqMA2wvTUIYLKV/4i+gIMtWsvl3/luZbF
+Y2pTerkOoabcrKEChxwmIQQA0V0GKUDkChWlF+KeSUdAU7879RMvyTdhY37kjfdz
+JEBsQK+YHMNch0ULHBYBXGkLPZAChi6CG/a5wCOSCiBiRUu7xCS4mA4AuMgwQIGH
+zzYLbF73PHKL6n8PwxGrxIsaXP4jMq5HlLlpzhYcoOpgSFYadSsvZa+UgjIqLKlm
+dKEEAN0GFK3ELmCTq5sPdcT9pwkbQa6pqjqNHA0MXrs8E37WiPlx5t+hrxJo7eAT
+k4hecP8nOX6ND85XXWNpKN518Th8NP409uPkSuRJ3TUdsgL9pQ76KU1wylcyUAZp
+ruyZYd7UMWN/rSUUymvE7ajnjlYUIxuEw6ocJX4052YICR+rBACu4tBu++LspCtF
++XILM0NoIR2kgqWp5vvXD5Zi4EGZoiIKM84Z8KMqibXaqAv+LuFQjJFcwis18q5g
+q4k+UA2WqjwQlIFXLM/zf6PZP10reNvwXxxmyjmIYCsJMxrfyGcR1eRsQzHTNbhq
+ICvihAjiWvCItxPVc2kxcSp42R7yJy32iQEfBBgBCAAJBQJN4sp9AhsMAAoJEFXd
+ElEAHhrWkm0H/RZQ/iRuE5K8u1t8J6VBzyQYRk20i4Yjsu4kWm1fbNEQoLqy75cH
+8wWDmVR3tSaUuQOQslGOVUZAZkB9feGZAzdoU+3Ui0H5dXuwRdr5/CW0k81i8K3l
+KZ3hP2LfbGhOLNX7akLMcB1yCf7oqmZaGeSpgMApcrwVlQFXgAAw64Cxp2vabxmK
+CcgoXUmXdyVfOg3lUIsXvCjKUMIBmlYoIFwPhIgJW7SYzFThKv73gnXyJPy4U20V
+vpWv6wcrduJNyknchgtvThLgD84AOR0BA5/w86xypFhaqjJhxkFjAo31qvsecFRb
+wz4KW5pJf4mUC5J7S/QpAFMTy3GTplonqYU=
+=1g/V
+-----END PGP PRIVATE KEY BLOCK-----

data/test/test_rubygems-openpgp.rb

@@ -0,0 +1,52 @@
+require 'test/unit'
+require 'rubygems_plugin'
+require 'rubygems/gem_openpgp'
+require 'tmpdir'
+require 'fileutils'
+
+class RubygemsPluginTest < Test::Unit::TestCase
+  UNSIGNED_GEM = "test/unsigned_hola-0.0.0.gem"
+  SIGNED_GEM = "test/openpgp_signed_hola-0.0.0.gem"
+  PABLOS_SECKEY = "test/pablo_escobar_seckey.asc"
+  PABLOS_PUBKEY = "test/pablo_escobar_pubkey.asc"
+
+  def in_tmp_gpg_homedir
+    gpg_home = Dir.mktmpdir()
+    `gpg --homedir=#{gpg_home} --import #{PABLOS_SECKEY}`
+    `gpg --homedir=#{gpg_home} --import #{PABLOS_PUBKEY}`
+    yield gpg_home
+    FileUtils.rm_rf(gpg_home)
+  end
+  
+  def test_gem_sign_and_verify
+    in_tmp_gpg_homedir do |gpg_home|
+      res = Gem::OpenPGP.verify_gem UNSIGNED_GEM, false, gpg_home
+      assert_match(/WARNING!!!/, res.join("\n"))
+
+      FileUtils.cp UNSIGNED_GEM, SIGNED_GEM
+    
+      assert_nothing_raised do
+        Gem::OpenPGP.sign_gem SIGNED_GEM, nil, gpg_home
+        Gem::OpenPGP.verify_gem SIGNED_GEM , nil, gpg_home
+      end
+    end
+  ensure
+    File.delete SIGNED_GEM
+  end
+  
+  def test_basic_sign_and_verify
+    in_tmp_gpg_homedir do |gpg_home|
+      data = "The mysterious case of Pablo Escobar's hippos - http://baraza.wildlifedirect.org/2009/07/15/the-curious-case-of-pablo-escobars-hippos/"
+
+      sig = Gem::OpenPGP.detach_sign data, key_id=nil, homedir=gpg_home
+      assert_nothing_raised do
+        Gem::OpenPGP.verify data, sig, false, homedir=gpg_home
+      end
+
+      # BAD SIG
+      assert_raise(Gem::OpenPGPException) do
+        Gem::OpenPGP.verify data + "\n", sig, false, homedir=gpg_home
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-openpgp
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -20,6 +20,7 @@ extra_rdoc_files:
 - README.md
 files:
 - LICENSE
+- Rakefile
 - lib/rubygems_plugin.rb
 - lib/rubygems/commands/verify_command.rb
 - lib/rubygems/commands/vinstall_command.rb
@@ -27,6 +28,10 @@ files:
 - lib/rubygems/commands/sign_command.rb
 - lib/rubygems/gem_openpgp.rb
 - README.md
+- test/test_rubygems-openpgp.rb
+- test/pablo_escobar_seckey.asc
+- test/pablo_escobar_pubkey.asc
+- test/unsigned_hola-0.0.0.gem
 has_rdoc: true
 homepage: https://github.com/grant-olson/rubygems-openpgp
 licenses:
@@ -53,4 +58,8 @@ rubygems_version: 1.6.2
 signing_key: 
 specification_version: 3
 summary: Sign gems via OpenPGP
-test_files: []
+test_files:
+- test/test_rubygems-openpgp.rb
+- test/pablo_escobar_seckey.asc
+- test/pablo_escobar_pubkey.asc
+- test/unsigned_hola-0.0.0.gem

metadata.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
-iQEcBAABAwAGBQJN4Z7WAAoJEP5F5V2hilTWbvoH/2OV8CHw4S/iTeELtnJSqKLV
-ihUyTOooY8WkT9t4ADmp/GcgyHLqsCYPl75eC8EOiKdsUC7PtffQuXxqaF2m3Bq2
-R7KOzLk/bLrv/888EK2kByno1K0+mrIQPuFj9AnDwUzwVs6mhCfgcfxa+pZ5kNoS
-lT0vduG6m6dcpsHbodorSaZE0/2MFzWX+2iiSaS3eRFB60PhaiZR3LH8HN3gjPBF
-OT6FOVKW6kAYUurjJhtQbYkXZe4nLJaRt17bNpO8iMnCs6qTUnCos23UAsEVqNAv
-UioVLiLiEJMWsYMTXglH9lLmjvKIImhs9ALXnCtKvk/Pv2DsQBkH49N9CbuqVAs=
-=sQxr
+iQEcBAABAwAGBQJN5CnWAAoJEP5F5V2hilTWFVcH/0qOUdBqaOts+c2uCVpeeWHu
+mqyvaIpiBWyeW4Jg+rADeqfGU77v6skr9RDrb91d/DfOam4ikgZIAzVuIGo/szsI
+qdphaRsvpLBgJcX/3JvtismRzzRwWPsh89nEO62ffvZRbCYG2EQ8cQYvG9+ZcN9e
+DPE4i3uPDqymiRL1PXka/owS7Tn70dOe5wJAgbba6jxaNwS/BAC4o8qsDzEDQzPi
+O/ik6C9mJROMpDqOPQh9MhfZYjC8KT2vAzhrBeogfbHFpPLigkeLoICGG9CCTdll
+GyWNwAUHvG4ubWuvdWkyRYQKcFBUow1uuAPFMhyqB3/vo0A2Kn1X5D8Ud+T/cs0=
+=kfmO
 -----END PGP SIGNATURE-----