rubygems-openpgp 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a27451d6e26758ca9cb3db512fec5c6483392d36
-  data.tar.gz: 3e9f721469ccf9309a25f4fe7d895bae111b61ce
+  metadata.gz: f953d2ca99d4e3729240d2875767733e1e0d61e5
+  data.tar.gz: c1d76f6c5ceba471e2efefae1dea8b83d6789090
 SHA512:
-  metadata.gz: a6c6c39699fb3640371377564006161546c65b88ac3a4bd59795a9538361507efee838139214268bc8dbd96f8b21e04968014c018deb55b97b0bb57ad8da5e4a
-  data.tar.gz: d07cef4452b802434a04db1d889b7ddbaec358bff65e1f6aeb478ce75ba28d43103c68927d5371ec29893cf05f973c932caf69da232c43a0e6e66e89233a6698
+  metadata.gz: 3d7bc9fa5c42f35d23407754e21f02bf0e740ee9a7368e551f4122a1d2d4251dca69b9dc8dd367192af073400e31d82f3a9d57aca50bc3ae7e0ae7866a241e51
+  data.tar.gz: 3160f28a0fc53e54c6eb472b929401472570cee59210dfc43711e69959ba539933f87e5cee47826305a1305c2dae46656732cce770ce53c1a2bd5dc81d47d788

checksums.yaml.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+Version: GnuPG v2.0.17 (GNU/Linux)
 
-iQEcBAABAgAGBQJRPMQPAAoJEP5F5V2hilTWW+sH/2/BOMt7JmPMWieIfylXXTwr
-jQZ5/Dl/etX/96WufETnEChm8PbVad17F0NWN7kzGKWmCCW5PLBi95nvWaPWlKzD
-ol97AYq1dhV2R+z62jMJIvurROQkrw+jrOmatH8f3LdAj/NxiQNrhSlv3Zt+pz63
-yLnXSDQ9KqFz7+MnBL5acwERXsNz5KdeblhikBuMqhKwJ0hpH3fXM1wpjLTyfkui
-/v7EzET63Pa2zHPck7JPB/LOFwxBTDrk5GLCJ6xyn+TAZRMXu7npB15V+XLHr2ol
-POXBYzXFsGUdzp9Vsl4HU5BtewxhmGCYbtVZjellkpVvmQsloWBvxjy7RbppX0Y=
-=pp4I
+iQEcBAABAgAGBQJRRfxRAAoJEP5F5V2hilTWhIUIAJa7y+ItzX0u80MVLlR/fTlL
+ojiwoo3HoTQpTyUzpbcx2qV55paf9aPy/oWGGKKcsOTJV53rYcXBLz11Klx4ieJB
+TRAglWQD+XdmH4yGXsU5bjtpDGw3cwanBVTn+9xV29qKMipogrFcLrPHOPNx8wsy
+RWiaZD7vyQSptHsZVIOguoNkMpv4SUC13BqICurtm+MX9SSCwnxV5DYTPMugwWf7
+wIHIPX3HEvFSgLBnxaXsjB9BnzIO7D+xt7V946h+jlFMx0awPLvTfbhTUIedOE/j
+SMUasTxcILBJDUceSsI1TMEhmWpY6DDw81Zaj7B/CF0vBolaEuPlX7v60ZRK1vo=
+=d2zb
 -----END PGP SIGNATURE-----

data.tar.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+Version: GnuPG v2.0.17 (GNU/Linux)
 
-iQEcBAABAgAGBQJRPMQMAAoJEP5F5V2hilTWKkkH/i/IqVPslAtFi6vgLBSg+IBg
-XnAErSC9KCnkTTf2aSqL0ffbVCGmZ/ek8LO6KByil8mXUCFQEZPXwY2dSscXLgoZ
-i7UX/+S6bdUAlPX4fxXlGRSpWPW9Gba/U19Z0WJiGfGAXeUQpAk5p+mjeni7Fgek
-E+M5Ky4p+kkW/XqZrDDchoRGhoSusT4dVIwqg6W8LVw0kI9yA6GpX3/FUdMvpS3d
-ettbQj7SCZqLeJtUAR7P/ilj6+gInOjebbu6TQ6z9MZxupqS0JzGif9EtIfa0JOM
-IrYuQFVdOasPJeYpJre+yw0eTfAc5yyp5F6YOgxVU/1ur8rQBjZdyCE6sDlmI3s=
-=/RM3
+iQEcBAABAgAGBQJRRfxOAAoJEP5F5V2hilTWzQYH/1cMPlLm1UdI2elmZpoYdemn
+RQFLiPLrgjED8xYOaoLE2YEjMU3eMmCnPA9gZxErAEqcbArZJzV31q8DoOC25I9n
+lJa1JWIAVJP+gvXCdqTam9P4m5wxl/pO9dQlDPUR2/sbyPZ82jLJH8HV3MAyXjHo
+Vmul6cPZ94BskTD+Nj8/wkmHe7YHVl5b7lNrUgeG8RNo3v9c6PswrT5VG1kRi2sx
+8F/vw85pfThjtga/p4F5dZRqQ6YOBoHrM8qgp2Xq2wqEhEizGlMda+Xp1Qr8IQYG
+U/jEPJAGbwNTZlmtyfLMXz5MiAwS0Ejf2XR8P8nB3nZyUVNvtLziU/Lr7m9aXnA=
+=u5Oy
 -----END PGP SIGNATURE-----

data/README.md

@@ -59,7 +59,7 @@ rubygems-openpgp](http://www.rubygems-openpgp-ca.org/blog/the-complete-guide-to-
 A test gem **openpgp_signed_hola** is on rubygems.org.  To try out
 this extension:
 
-    gem install openpgp_signed_hola-0.0.0.gem --verify  --trust --get-key
+    gem install openpgp_signed_hola-0.0.0.gem --trust --get-key
 
 
 ### But That Just Failed!

data/lib/rubygems/commands/verify_command.rb

@@ -24,6 +24,16 @@ class Gem::Commands::VerifyCommand < Gem::Command
       options[:get_key] = true
     end
 
+    add_option("--trust",
+                 'Enforce gnupg trust settings.  Only install if trusted.') do |value, options|
+      Gem::OpenPGP.options[:trust] = true
+    end
+
+    add_option("--no-trust",
+                 "Ignoure gnupg trust settings,  even if --trust has previously been specified") do |value, options|
+      Gem::OpenPGP.options[:no_trust] = true
+    end
+
   end
 
   def arguments # :nodoc:

data/lib/rubygems/openpgp/gpg_helpers.rb

@@ -14,11 +14,29 @@ private
 
   # Tests to see if gpg is installed and available.
   def self.is_gpg_available
-    err_msg = "Unable to find a working gnupg installation.  Make sure gnupg is installed and you can call 'gpg --version' from a command prompt."
+    
     `gpg --version`
-    raise Gem::OpenPGPException, err_msg if $? != 0
+    abort_if_shell_error
   rescue Errno::ENOENT => ex
-    raise Gem::OpenPGPException, err_msg if $? != 0
+    abort_if_shell_error
+  end
+
+  def self.abort_if_shell_error
+    install_msg = <<FOO
+Couldn't find gpg.  Don't have it? It'll only take a few minutes to install.
+
+Windows installer available at http://gpg4win.org/
+
+OSX installer available at https://www.gpgtools.org/
+
+FOO
+    err_msg = "Unable to find a working gnupg installation.  Make sure gnupg is installed and you can call 'gpg --version' from a command prompt."
+
+    if $? != 0
+      puts install_msg
+      raise Gem::OpenPGPException, err_msg
+    end
   end
+  
 
 end

data/lib/rubygems/openpgp/owner_check.rb

@@ -0,0 +1,77 @@
+require 'rubygems/user_interaction'
+require 'gems'
+
+module Gem::OpenPGP
+  def self.check_rubygems_org_owner gem_name, fingerprint
+    uids_and_trust = get_good_uids(fingerprint)
+    owners = Gems.owners(gem_name).map { |o| o["email"] }
+    
+    good_owner_status = find_good_owner(uids_and_trust, owners)
+    if !good_owner_status
+      valid_uids = uids_and_trust.map { |x| x[:uid] }
+      say add_color("Couldn't match good UID against rubygems.org owners!", :red)
+      say add_color("\tGood User Ids: #{pretty_email_list(valid_uids)}", :red)
+      say add_color("\trubygems.org Owners: #{pretty_email_list(owners)}", :red)
+    end
+    
+    good_owner_status
+  rescue Errno::ECONNREFUSED, SocketError => ex
+    say add_color("Can't verify ownership.  Couldn't connect with rubygems.org.", :yellow)
+    return false
+  end
+
+private
+
+  def self.pretty_email_list list
+    list.select { |x| !(x.nil? || x.empty?)}.join(", ")
+  end
+  
+  # Extract good trusted UIDs from a given fingerprint
+  def self.get_good_uids fingerprint
+    good_uids = []
+
+    key_info = `gpg --with-colons --list-keys #{fingerprint}`
+    key_info.split("\n").each do |line|
+      line = line.strip
+      fields = line.split(":")
+
+      next if !['pub','uid'].include?(fields.first)
+
+      trust = fields[1]
+      next if ['r','i','d','e','n'].include? trust # clearly invalid
+
+      # If we're in --trust mode, we skip unknown uids.
+      if options[:trust]
+        next if !['f','m','u'].include?(trust)
+      end
+
+      uid = fields[9]
+      good_uids << {:uid => uid, :trust => trust}
+    end
+
+    good_uids
+  end
+  
+  # match up valid trusted uid with good owner if possible
+  def self.find_good_owner uids_and_trust, owners
+    good_owner = false
+
+    uids_and_trust.each do |u|
+      uid = u[:uid]
+      email = if uid.include? "<"
+                /<([^>]+)>/.match(uid)[1]
+              else
+                uid
+              end
+
+      if owners.include? email
+        say add_color("Owner check indicates #{email} is owner per rubygems.org...", :green)
+        good_owner = true
+      end
+    end
+
+    good_owner
+  end
+
+  
+end

data/lib/rubygems/openpgp/verification.rb

@@ -11,6 +11,7 @@ require 'rubygems/openpgp/keymaster'
 require 'rubygems/openpgp/options'
 require 'rubygems/openpgp/gpg_helpers'
 require 'rubygems/openpgp/openpgpexception'
+require 'rubygems/openpgp/owner_check'
 
 module Gem::OpenPGP
   extend Gem::UserInteraction
@@ -35,7 +36,7 @@ module Gem::OpenPGP
     homedir_flags = ""
     homedir_flags = "--homedir #{homedir}" if homedir
 
-    gpg_args = "#{get_key_params} #{homedir_flags} --verify #{sig_file.path} #{data_file.path}"
+    gpg_args = "#{get_key_params} #{homedir_flags} --with-colons --verify #{sig_file.path} #{data_file.path}"
     
     status_info = {:file_name => file_name}
     gpg_results = GPGStatusParser.run_gpg(gpg_args) { |message| verify_extract_status_info(message, status_info) }
@@ -86,7 +87,7 @@ module Gem::OpenPGP
         raise Gem::OpenPGPException, "Can't verify without sig, aborting!!!"
       end
       
-      begin
+       begin
         fingerprints << Gem::OpenPGP.verify(file_name, tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
       rescue Gem::OpenPGPException => ex
         color_code = "31"
@@ -95,9 +96,12 @@ module Gem::OpenPGP
       end
     end
 
-    # Verify fingerprint
-    fingerprints.uniq.each do |fp|
+    fingerprints.uniq!
+    
+    # Verify fingerprint and owner
+    fingerprints.each do |fp|
       verify_gem_check_fingerprint gem_name, fp
+      owner_checks gem_name, fp
     end
     
   ensure
@@ -106,6 +110,17 @@ module Gem::OpenPGP
 
   private
 
+  def self.owner_checks gem_name, fp
+    if !check_rubygems_org_owner(gem_name, fp)
+      if options[:ignore_owner_check]
+        say add_color("Ignoring bad owner status because you told me to!",:yellow)
+      else
+        say add_color("Use --ignore-owner-check to install anyway.", :yellow)
+        raise Gem::OpenPGPException, "BADOWNER"
+      end
+    end
+  end
+
   # Extract the info we care about, throw away the rest  
   def self.verify_extract_status_info message, status_info
       case message.status
@@ -116,7 +131,7 @@ module Gem::OpenPGP
       when :SIG_ID
       when :VALIDSIG, :EXPSIG, :BADSIG
         status_info[:sig_status] = message.status
-        status_info[:primary_key] = "0x#{message.args[:primary_key_fpr][-9..-1]}"
+        status_info[:primary_key] = "0x#{message.args[:primary_key_fpr][-8..-1]}"
         status_info[:primary_key_fingerprint] = message.args[:primary_key_fpr]
       when :TRUST_UNDEFINED, :TRUST_NEVER, :TRUST_MARGINAL, :TRUST_FULLY, :TRUST_ULTIMATE
         status_info[:trust_status] = message.status

data/lib/rubygems/openpgp/verify_plugins.rb

@@ -27,6 +27,11 @@ i.add_option("--no-trust",
   Gem::OpenPGP.options[:no_trust] = true
 end
 
+i.add_option("--ignore-owner-check",
+             "Ignore a failed ownership check against rubygems.org") do |value, options|
+  Gem::OpenPGP.options[:ignore_owner_check] = true
+end
+
 i.add_option('--get-key', "If the key is not available, download it from a keyserver") do |key, options|
   Gem::OpenPGP.options[:get_key] = true
 end
@@ -34,7 +39,8 @@ end
 Gem.pre_install do |installer|
   begin
     # --no-verify overrides --verify
-    if Gem::OpenPGP.options[:verify] && !Gem::OpenPGP.options[:no_verify]
+    if (Gem::OpenPGP.options[:verify] && !Gem::OpenPGP.options[:no_verify]) ||
+        (Gem::OpenPGP.options[:trust] && !Gem::OpenPGP.options[:no_trust])
       Gem::OpenPGP.verify_gem(installer.gem,
                               Gem::OpenPGP.options[:get_key])
     end

data/test/test_rubygems-openpgp.rb

@@ -21,7 +21,7 @@ class RubygemsPluginTest < Test::Unit::TestCase
   end
   
   def test_gem_sign_and_verify
-    Gem::OpenPGP.stubs(:verify_gem_check_fingerprint => true)
+    Gem::OpenPGP.stubs(:verify_gem_check_fingerprint => true, :check_rubygems_org_owner => true)
 
     in_tmp_gpg_homedir do |gpg_home|
       assert_raise Gem::OpenPGPException do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-openpgp
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Grant Olson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-10 00:00:00.000000000 Z
+date: 2013-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gpg_status_parser
@@ -24,6 +24,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: gems
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.7.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.7.1
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -58,6 +72,7 @@ files:
 - lib/rubygems/openpgp/keymaster.rb
 - lib/rubygems/openpgp/verify_plugins.rb
 - lib/rubygems/openpgp/sign_plugins.rb
+- lib/rubygems/openpgp/owner_check.rb
 - lib/rubygems/openpgp/openpgpexception.rb
 - README.md
 - test/test_keymaster.rb
@@ -65,7 +80,7 @@ files:
 - test/pablo_escobar_seckey.asc
 - test/pablo_escobar_pubkey.asc
 - test/unsigned_hola-0.0.0.gem
-homepage: http://www.rubygems-openpgp-ca.org
+homepage: https://www.rubygems-openpgp-ca.org
 licenses:
 - BSD 3 Clause
 metadata: {}

metadata.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.11 (GNU/Linux)
+Version: GnuPG v2.0.17 (GNU/Linux)
 
-iQEcBAABAgAGBQJRPMQJAAoJEP5F5V2hilTWl7cH/RTKsIhaeKPg3aQtITWGbtl4
-ro0lqKtd6ivNpCtXbcscUWD/pvGYHpZuLqel87Y+o9ZM7qIK7YSQtrcv3p00T048
-mA9+agepSKPbQmqus8yvQlL7M1mu7JHj4vXvC4XRf25nbbMaoDhJRx57L0Xn8s64
-ECC0L1uQSp0GNlB15aot8Z13iRwiC7xR1GVzuq1HuSVfpjiA2QlxXd6lcsFvF19F
-0hlck4dzt0j1jTWlcf3olBW1EWhG5j9+urH/LrWiW272f2efagLX5heDqHplxpFG
-fa/+qLCRPKpX6iUjblippya11MtTj+Dqydq3HX/DlsP8kxtvv5iYmf6Xy3Ho4QM=
-=MLkM
+iQEcBAABAgAGBQJRRfxJAAoJEP5F5V2hilTW6cIIAI02JVhjEr5UQYfNq7OF7D+T
+Icey5OmnmAOBlkZNiukGcQTT9LsbysXZoKelk3r6NFToO+vsWJK2wpRHfxkYIgkI
+O75DnYZ7Pcgd5foEtAWi0K0BHbKK9huGSX4vjMcXzN28EXiasDI9j1Eh6rOTsBdX
+eiJDeMMyvBZmAEcQH0hWoNtBhOYk3+BBTnGbt+ORTRBOON/hCtZPnVkG3HObruka
+KPafC3r9wQcvdvi1WvFiypaPvqo61lFCt8a0DBES2r8BKOjK08V+/vIRc+wTKikG
+uYnWDPYmbMSl00h6Nrc7u6+DPN5JlHAuz0L9HItQjBDJMCb+f45FgwNPa70C8qE=
+=uJVJ
 -----END PGP SIGNATURE-----