rubygems-openpgp 0.2.1 → 0.3.0

data.tar.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
+Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 
-iQEcBAABAwAGBQJN5DWgAAoJEP5F5V2hilTW75IIAJUEIDelhepL1KvM42I9qHLc
-RCmO29nWOXMwHHCkTE1PGxYoOKtv3WAPpSZE8fI/oeGycXoegC5XIspwPXfW4qJD
-GIsh8bPHEVrIKWwrpO5aUgVhtHk1nkJAiwA4MMZ9LxFoBLqLQ4bKKssE37rF9nfK
-OoVqdTuXHruiro6gUcfEv/aQAign6sN7Ok0wx29tF7sw1fYzUceGpw3GKGw+zwEp
-8IvjupGu+cA49rur23Rz/Alj7zCjcRSUjqQvF62l4QEa/Z4DhCKOe5qCfb8g6HSS
-K7lpgmmnTOnIxnec/lrWF7V6s3qhZrv3GfepqNKouG6BFAuasra+ZO+Z53zgeMs=
-=nWl0
+iQEcBAABCgAGBQJRF6UkAAoJEP5F5V2hilTWp4EH/Ah94Ny5XMyjejkTuTAZPZw8
+6jG5gQ0dl5l8c6VyXgLNwSDmCt0Rj5J1ZVvkz8LXj7xJpDyXu77Gk2FCDS30R7vH
+4C3LbUdIGv5FhMGQ2CiVgPNbi8CRsNmnFg15otY782Uvu8sMbspkrVi31wFvWCz7
+Ik9tHle42aNwg5sYhYWi4gIHiLfQ3l+g6C2YJ38R/hKdU9J3Vu9RWxk3aAsSsuTp
+aEDxGvTkX+N9vUEdDIvpkZ7iuhATxiP4TpZo3vFORe0iwo44XQaZJQPb4jMKmnJt
+b9Q7a1o/WpmcPrnGDaHvsjPj4P5dFzaktDaafBCo7GUsws7JhN1sKZX1F4GSVjc=
+=FURw
 -----END PGP SIGNATURE-----

data/README.md

@@ -1,52 +1,45 @@
 rubygems-openpgp
 ================
 
-This gem allows cryptographic signing of ruby gems with OpenPGP
-instead of the current method involving OpenSSL.  I think OpenPGP is a
-much better choice than X509 certificates for verifying open source
-components.
-
-My proposal as to why we should do so, and how to add certification
-infrastructure into place, follows.  Note this project doesn't attempt
-to address the issue of creating a ruby gem Signing Authority.
-
-Prerequisites
--------------
-
-A working installation of gpg.
+Software Assurance
+------------------
 
-An openpgp private key.
+To assure the validity of any software package, you need to:
 
-Getting Started with gpg
-------------------------
+* Verify that the package has not been corrupted or maliciously
+  tampered with by verifying the file's checksum.
 
-If you're unfamiliar with gpg, please read the [GNU Privacy
-Handbook](http://www.gnupg.org/gph/en/manual.html) .  If you're too
-lazy or impatient to do so, you can get started quickly by:
+* Verify that the checksum has not been tampered with by validating a
+  digital signature of that checksum.
 
-1. Installing the appropriate gpg package for your OS if you don't
-already have one.
+* Verify that the digital signature was produced by the package's
+  publisher by authenticating the public key that was used to generate
+  the digital signature.
 
-1. Running `gpg --gen-key` to create your key.
+If you can't do this, you can't verify the integrity of the package.
 
-If you use this key for anything more than a few local tests, please:
+This gem allows cryptographic signing of ruby gems with OpenPGP
+instead of the current built-in signing method involving X.509.
 
-1. Publish your public key so others can retrieve it.
-   `gpg --keyserver pool.sks-keyservers.net --send-keys <your-new-key-id>`
+[Read more about why we should use OpenPGP.](./doc/motivation.md)
+Here's the [slides](http://bit.ly/TUtT3S) and
+[video](http://vimeo.com/album/2255908/video/59297058) from a
+lightning talk I did at [Pittsburgh.rb](http://pghrb.heroku.com/).
+ 
+Prerequisites
+-------------
 
-1. Backup your private key.  It's irretrievable if lost or corrupted.
+A working installation of gpg.
 
-1. Generate a revocation certificate.  This allows you to invalidate a
-key if a malicious user gains access.
+An OpenPGP private key is required to sign gems, but not to verify.
 
-1. Read the GNU Privacy Handbook above.
+[Getting started with gpg.](./doc/getting-started-with-gpg.md)
 
 Signing example
 ---------------
 
-        gem build openpgp_signed_hola.gemspec
-        gem sign openpgp_signed_hola-0.0.0.gemspec
-        gem push opnepgp_signed_hola-0.0.0.gemspec
+    gem build openpgp_signed_hola.gemspec --sign
+    gem push opnepgp_signed_hola-0.0.0.gem
 
 Verification Example
 --------------------
@@ -54,209 +47,30 @@ Verification Example
 A test gem **openpgp_signed_hola** is on rubygems.org.  To try out
 this extension:
 
-        gem fetch openpgp_signed_hola
-        gem verify openpgp_signed_hola-0.0.0.gem
-        gem install openpgp_signed_hola-0.0.0.gem
+    gem install openpgp_signed_hola-0.0.0.gem --verify
 
 But That Just Failed!
 ---------------------
 
-The first time you do this, the `gem verify` command will probably
-fail.  This is because you don't have my public key.  To automatically
-retrieve the key from the keyservers, run:
-
-        gem verify --get-key openpgp_signed_hola-0.0.0.gem
-
-The key will be automatically downloaded, and verification should now
-succeed.
-
-There are security implications here.  You've downloaded the key based
-on the information contained in the gem itself.  If a malicious user
-has tampered with the gem, they could easily provide a forged OpenPGP
-key as well.  This is why your output includes the following warning:
-
-        gpg: WARNING: This key is not certified with a trusted signature!
-        gpg:          There is no indication that the signature belongs to the owner.
-
-You still don't know if this key *really* belongs to me.  If possible,
-you should verify the key signature through an out-band-channel.  This
-may be the project page, a release email from the author, or some
-other means.
-
-For example, you can obtain the fingerprint on my key from [my
-personal website](http://www.grant-olson.net/openpgp-key).
-
-I've also included it right here in the README hosted on github:
-
-        pub   2048R/E3B5806F 2010-01-11 [expires: 2012-01-04]
-              Key fingerprint = A530 C31C D762 0D26 E2BA  C384 B6F6 FFD0 E3B5 806F
-        uid                  Grant T. Olson (Personal email) <kgo@grant-olson.net>
-        uid                  Grant T. Olson (pikimal) <grant@pikimal.com>
-        sub   2048R/6A8F7CF6 2010-01-11 [expires: 2012-01-04]
-        sub   2048R/A18A54D6 2010-03-01 [expires: 2012-01-04]
-        sub   2048R/D53982CE 2010-08-31 [expires: 2012-01-04]
-
-Even better would be obtaining the key fingerprint from me personally,
-but this can often be impractical.
-
-In any case, you should verify the key fingerprint listed in the
-message from one of these alternate sources.  If they match, the
-signature is (hopefully) valid, assuming an attacker hasn't managed to
-compromise rubygems, github, and my personal website.
-
-If the fingerprints DO NOT match, you probably want to delete the
-invalid key from your keyring:
-
-        gpg --delete-key <<KEY_ID>>
-
-If you feel confident that the key is valid based on your external
-fingerprint checks, you can make a signature on your gpg keyring.  I
-would advise making a local signature unless you've validated the
-fingerprint in person.  This means that you feel confident that the
-key is valid, but you're not making any representations to the outside
-world.  To do so, run:
-
-        gpg --lsign <<KEY_ID>>
-
-After this, you will no longer receive WARNINGs about untrusted
-sources for any gems signed by this key/author.
-
-Unfortunately, authentication is a hard problem.  See my proposal
-below for a potential solution to provide reasonable assurances about
-key validity without having to manually confirm everything.
-
-Motivation
-----------
-
-### Why we should sign gems with gpg
-
-Gems are currently signed via X509 certificates generated by OpenSSL.
-I don't think X509 signatures are the way to go.  I think we should use
-OpenPGP signatures instead.
-
-1. Self-signed X509 certificates are basically worthless.  There's no
-easy way to verify that the key is legitimate.  OpenPGP certificates
-are designed to be generated by you, and then signed by other people
-to validate their authenticity.
-
-2. Setting up an X509 CA will take some resources.  OpenPGP already
-has a dedicated pool of servers run by volunteers at
-pool.sks-keyservers.net.
-
-3. The current generation policy isn't so good.  Your private key
-isn't encrypted.  It's a strange file in a strange location that could
-easily be lost.  In gpg, all files are stored in ~/.gnupg.  Private
-keys are encrypted by default.
-
-4. gpg has better tooling and documentation than openssl.  There are
-plenty of things like Seahorse or GPA to examine your keys.  Policies
-are documented and explained.
-
-5. gpg allows the user to decide their default threat model and key
-verification model.  X509 assumes you trust the powers that be.
-
-6. The OpenPGP certificate will (optionally) be tied to the owner's
-real life id, if (for example) they sign release emails, use git's
-signing functionality on release tags, sign binary releases.  This
-makes it easier to verify that the key isn't forged.  (See trust model
-3 below.)
-
-The way I envision it, a gem maintainer would generate and publish a
-key with gpg if they didn't already have one.  He would put the key id
-in the gem configuration file.  When he builds the gem, gpg kicks in
-and signs it.
-
-An end user who wants to verify the key runs a command after fetching
-the gem.  If they have the key, we run gpg and verify the signature.
-If not, we provide the key id so they can download it manually with
-gpg.
-
-The code to implement this should be pretty simple.
-
-### Authenticating keys / Certificate authority
-
-With gpg, the user can determine their trust model.
-
-1. The current model.  The user doesn't care.  They don't check gpg
-sigs.  All is well.  I imagine this will still be the model used by a
-strong majority of users.
-
-2. The user uses the OpenPGP web of trust.  To be honest, this is a
-PITA.  It involves getting into the strong set by meeting people in
-person and exchanging key fingerprints to make sure that there's no
-man-in-the-middle attack.  And even if the user is in the strong set,
-there's no guarantee the gem maintainer is.
-
-3. Continuity model.  I downloaded the signing key for Ubuntu about four
-releases ago.  Even though I haven't done full verification, there
-haven't been any reports of problems, and the next three releases were
-signed by the same key.  If the key changed and gpg couldn't verify the
-next Ubuntu release, it would raise some eyebrows.  You can use the same
-philosophy with gems.
-
-4. Simulated CA.  Similar to the way a distributed source control system
-can be used as a centralized system, the OpenPGP web of trust can be
-setup to act as if there's a certificate authority.
-
-For an example of option 4, look at the PGP Corp Global Directory[1].
-You go to the website and submit your public key.  It sends you an email
-that you need to reply to.  If you reply, signs your key and
-publishes the information.  If another user trusts the Global Directory
-key, they will now trust your key.
-
-Technically, this is subject to a man-in-the-middle attack.  But it's
-the same policy that gets used when I forget my password at something
-like Amazon.  And Amazon has my credit card info.  I think the
-procedure is valid against all but the most exotic attacks as long as
-its limitations are known and documented.
-
-[For conciseness' sake, I'm just going to pretend we've agreed that
-rubygems.org is the Signing Authority.  It will probably be a more
-beta application, at least at first.  Right now I'm more concerned
-with presenting the model.]
-
-rubygems.org could:
-
-1. Allow gem publisher to upload a private key from their account page.
-
-2. Upon receipt of key, send an email to the gem publisher's email
-containing an encrypted token.
-
-3. The gem publisher decrypts the token,
-
-4. The gem publisher posts the decrypted token onto a form at the
-website and submits.  This establishes the gem publisher has control of
-(a) the email address, and (b) the OpenPGP key.  (Excluding a possible
-mitm at the network level.)
-
-5. rubygems.org signs the key with it's own signing key, possibly with a
-6 month or 1 year expiration date.
-
-6. The new signature is submitted to the keyservers at
-pool.sks-keyservers.net, making the verification available world-wide.
+You probably don't have my public key yet.  You need my public key to
+verify the digital signature.  You also want to perform some
+authentication of that public key.
 
-Now an unrelated gem user can configure gpg to trust the rubygems
-signing key.  When they download the gem from above and retrieve the gem
-publisher's key, they will see that the key is valid because it's
-trusted by rubygems.  If it's not trusted, it's up to User B to
-investigate and determine if they trust the gem or not.
+[Notes on retrieving and authenticating public keys.](./doc/retrieving-and-authenticating-keys.md)
 
-Note that the relationship between these keys isn't contained in the
-gem.  It's contained on the keyservers.  If another website or mirror
-provides the same gem with the same signature, it will still show up as
-valid, assuming the gem user trusts the rubygems.org signing key.
+Verifying your initial install
+------------------------------
 
-### In the year 2038
+All versions of this gem should be signed.  But the first time you
+install the package you run into a bit of a chicken-and-the-egg
+problem.  You can't verify the package until you've installed a copy.
+But if that copy isn't verified, if could already be compromised.
 
-Assuming all goes well, most people are signing their gems, and the
-community likes the feature, we could configure a keyring for use by
-gems only, similar to the way apt-get maintains its own keyring.
+But don't worry.  You can use a stand-alone signature to verify your
+initial install.  Since the stand-alone signature is on github, and
+the software package is on rubygems.org, a malicious user would need
+to compromise both sites to publish a compromised gem and
+compromised/forged digital signature.
 
-This keyring would automatically include the rubygems.org signing key on
-installation.  When downloading a new gem, verification will happen
-automatically.  If the key isn't on the gem keyring it will be
-downloaded automatically.  If the key isn't trusted, the user will
-receive a warning and asked if they want to continue.  If the signature
-check fails, the gem will not be installed.
+[Notes on verifying the initial install.](./doc/verifying-initial-install.md)
 
-[1] https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

data/lib/rubygems/commands/sign_command.rb

@@ -38,8 +38,7 @@ class Gem::Commands::SignCommand < Gem::Command
   def execute  # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-    output = Gem::OpenPGP.sign_gem gem, key=options[:key]
-    say output.join("\n")
+    Gem::OpenPGP.sign_gem gem, key=options[:key]
   end
   
 end

data/lib/rubygems/commands/verify_command.rb

@@ -1,5 +1,6 @@
 require 'rubygems/command'
 require 'rubygems/package'
+require 'rubygems/user_interaction'
 require 'rubygems/version_option'
 require 'rubygems/gem_openpgp'
 
@@ -12,6 +13,7 @@ require 'rubygems/gem_openpgp'
 class Gem::Commands::VerifyCommand < Gem::Command
 
   include Gem::VersionOption
+  include Gem::UserInteraction
 
   def initialize # :nodoc:
     super 'verify', 'Verifies a local gem that has been signed via OpenPGP.  This helps to ensure the gem has not been tampered with in transit.'
@@ -39,8 +41,10 @@ class Gem::Commands::VerifyCommand < Gem::Command
   def execute # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-    output = Gem::OpenPGP.verify_gem gem, get_key=options[:get_key]
-    say output.join("\n")
+    Gem::OpenPGP.verify_gem gem, get_key=options[:get_key]
+  rescue Gem::OpenPGPException => ex
+    alert_error(ex.message)
+    terminate_interaction(1)
   end
   
 end

data/lib/rubygems/gem_openpgp.rb

@@ -1,5 +1,7 @@
 require 'rubygems'
 require 'rubygems/package'
+require 'rubygems/user_interaction'
+require 'shellwords'
 require 'open3'
 require 'tempfile'
 
@@ -9,6 +11,8 @@ class Gem::OpenPGPException < RuntimeError; end
 # A wrapper that shells out the real OpenPGP crypto work
 # to gpg.
 module Gem::OpenPGP
+  extend Shellwords
+  extend Gem::UserInteraction
 
   # Given a string of data, generate and return a detached
   # signature.  By defualt, this will use your primary secret key.
@@ -20,10 +24,10 @@ module Gem::OpenPGP
     is_homedir_valid homedir if homedir
 
     key_flag = ""
-    key_flag = "-u #{key_id}" if key_id
+    key_flag = "-u #{shellescape(key_id)}" if key_id
 
     homedir_flag = ""
-    homedir_flag = "--homedir #{homedir}" if homedir
+    homedir_flag = "--homedir #{shellescape(homedir)}" if homedir
 
     cmd = "gpg #{key_flag} #{homedir_flag} --detach-sign --armor"
     sig, err = run_gpg_command cmd, data
@@ -61,8 +65,6 @@ module Gem::OpenPGP
   # Optional param "key" allows you to use a different private
   # key than the GPG default.
   def self.sign_gem gem, key=nil, homedir=nil
-    output = []
-
     unsigned_gem = gem + ".unsigned"
 
     begin
@@ -77,14 +79,14 @@ module Gem::OpenPGP
     signed_gem = Gem::Package::TarWriter.new(signed_gem_file)
 
     Gem::Package::TarReader.new(unsigned_gem_file).each do |f|
-      output << f.full_name.inspect
+      say(f.full_name.inspect)
       
       if f.full_name[-4..-1] == ".asc"
-        output << "Skipping old signature file #{f.full_name}"
+        say("Skipping old signature file #{f.full_name}")
         next
       end
       
-      output << "Signing #{f.full_name.inspect}..."
+      say("Signing #{f.full_name.inspect}...")
 
       file_contents = f.read()
 
@@ -102,7 +104,6 @@ module Gem::OpenPGP
     unsigned_gem_file.close
     File.delete unsigned_gem_file
 
-    output
   rescue Exception => ex
     if unsigned_gem_file
       FileUtils.mv unsigned_gem_file, gem
@@ -112,7 +113,6 @@ module Gem::OpenPGP
   end
 
   def self.verify_gem gem, get_key=false, homedir=nil
-    output =[]
 
     begin
       file = File.open(gem,"r")
@@ -128,28 +128,28 @@ module Gem::OpenPGP
     
     tar_files.keys.each do |file_name|
       next if file_name[-4..-1] == ".asc"
-      output << "Verifying #{file_name}..."
+      say "Verifying #{file_name}..."
 
       sig_file_name = file_name + ".asc"
       if !tar_files.has_key? sig_file_name
-        output << "WARNING!!! No sig found for #{file_name}"
-        next
+        say add_color("WARNING!!! No sig found for #{file_name}", :red)
+        raise Gem::OpenPGPException, "Can't verify without sig, aborting!!!"
       end
       
       begin
         err, res = Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
 
-        output << add_color(err, :green)
-        output << add_color(res, :green)
+        say add_color(err, :green)
+        say add_color(res, :green)
       rescue Gem::OpenPGPException => ex
         color_code = "31"
-        output << add_color(ex.message, :red)
+        say add_color(ex.message, :red)
+        raise
       end
     end
 
-    file.close
-    
-    output
+  ensure
+    file.close unless file.nil?
   end
 
 private
@@ -209,5 +209,9 @@ private
     #TODO - NO-OP on windows
     "\033[#{color_code}m#{s}\033[0m"
   end
-  
+
+  def self.options
+    @options ||= {}
+    @options
+  end
 end

data/lib/rubygems_plugin.rb

@@ -1,6 +1,56 @@
 require 'rubygems/command_manager'
+require 'rubygems/gem_openpgp'
 
 Gem::CommandManager.instance.register_command :sign
 Gem::CommandManager.instance.register_command :verify
-#Gem::CommandManager.instance.register_command :vinstall
-#Gem::CommandManager.instance.register_command :sbuild
+
+# gem build hooks
+b = Gem::CommandManager.instance[:build]
+b.add_option("--sign", "Sign gem with OpenPGP.") do |value, options|
+  Gem::OpenPGP.options[:sign] = true
+end
+
+b.add_option('--key KEY', "Specify key id if you don't want to use your default gpg key") do |key, options|
+  Gem::OpenPGP.options[:key] = key
+end
+
+class Gem::Commands::BuildCommand
+  alias_method :original_execute, :execute
+  def execute
+    original_execute
+
+    if Gem::OpenPGP.options[:sign]
+      gemspec = get_one_gem_name
+      if File.exist? gemspec then
+        spec = Gem::Specification.load gemspec
+        file_name = File.join(".", File.basename(spec.cache_file))
+        Gem::OpenPGP.sign_gem file_name, key=Gem::OpenPGP.options[:key]
+      end
+    end
+  end
+end
+
+# gem install hooks
+i = Gem::CommandManager.instance[:install]
+i.add_option("--verify",
+             'Verifies a local gem that has been signed via OpenPGP.' +
+             'This helps to ensure the gem has not been tampered with in transit.') do |value, options|
+  Gem::OpenPGP.options[:verify] = true
+end
+
+
+i.add_option('--get-key', "If the key is not available, download it from a keyserver") do |key, options|
+  Gem::OpenPGP.options[:get_key] = true
+end
+
+Gem.pre_install do |installer|
+  begin
+    if Gem::OpenPGP.options[:verify]
+      Gem::OpenPGP.verify_gem(installer.gem,
+                              Gem::OpenPGP.options[:get_key])
+    end
+  rescue Gem::OpenPGPException => ex
+    installer.alert_error(ex.message)
+    installer.terminate_interaction(1)
+  end
+end

data/test/test_rubygems-openpgp.rb

@@ -20,8 +20,9 @@ class RubygemsPluginTest < Test::Unit::TestCase
   
   def test_gem_sign_and_verify
     in_tmp_gpg_homedir do |gpg_home|
-      res = Gem::OpenPGP.verify_gem UNSIGNED_GEM, false, gpg_home
-      assert_match(/WARNING!!!/, res.join("\n"))
+      assert_raise Gem::OpenPGPException do
+        Gem::OpenPGP.verify_gem UNSIGNED_GEM, false, gpg_home
+      end
 
       FileUtils.cp UNSIGNED_GEM, SIGNED_GEM
     
@@ -31,7 +32,7 @@ class RubygemsPluginTest < Test::Unit::TestCase
       end
     end
   ensure
-    File.delete SIGNED_GEM
+    File.delete(SIGNED_GEM) if File.exists?(SIGNED_GEM)
   end
   
   def test_basic_sign_and_verify

metadata

@@ -1,30 +1,31 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: rubygems-openpgp
-version: !ruby/object:Gem::Version
-  version: 0.2.1
+version: !ruby/object:Gem::Version 
   prerelease: 
+  version: 0.3.0
 platform: ruby
-authors:
+authors: 
 - Grant Olson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2010-05-30 00:00:00.000000000 -04:00
-default_executable: 
+
+date: 2013-02-10 00:00:00 Z
 dependencies: []
+
 description: Digitally sign gems via OpenPGP instead of OpenSSL
 email: kgo@grant-olson.net
 executables: []
+
 extensions: []
-extra_rdoc_files:
+
+extra_rdoc_files: 
 - README.md
-files:
+files: 
 - LICENSE
 - Rakefile
 - lib/rubygems_plugin.rb
 - lib/rubygems/commands/verify_command.rb
-- lib/rubygems/commands/vinstall_command.rb
-- lib/rubygems/commands/sbuild_command.rb
 - lib/rubygems/commands/sign_command.rb
 - lib/rubygems/gem_openpgp.rb
 - README.md
@@ -32,33 +33,34 @@ files:
 - test/pablo_escobar_seckey.asc
 - test/pablo_escobar_pubkey.asc
 - test/unsigned_hola-0.0.0.gem
-has_rdoc: true
 homepage: https://github.com/grant-olson/rubygems-openpgp
-licenses:
+licenses: 
 - BSD 3 Clause
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.6.2
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: Sign gems via OpenPGP
-test_files:
+test_files: 
 - test/test_rubygems-openpgp.rb
 - test/pablo_escobar_seckey.asc
 - test/pablo_escobar_pubkey.asc

metadata.gz.asc

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
+Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 
-iQEcBAABAwAGBQJN5DWkAAoJEP5F5V2hilTWHz8H/0Gw0Duf+dF97x6uiLCoviKg
-2Vq/Ok1oKgsE9WIh03wzs7mFCjIAyxttOm/hJJiUaiubyn/4KxiboLbJYq+ilJGN
-EMQA60jwEJ4+tKUh07CwNWlku2hXn7qduHjGLQxhpDXWLoxQe6MAmadlQnevIrYd
-I7TduvWa4MpkJnu7ChxS3nm0bO6EmLFYoRy/qR8h3uqch8L+QQDc+JaCtlebTwag
-gAF9iZFj8IoodH2UICAyfMG8UT7Gztw7ydxxgcuymUJmxR6VqpIFJWcG3KBQ7Il5
-pBK9xoc6U5Bxt0+EqTym4TTXttF9o7INRMvLbCQKsP861NWaPOGCiIMegAUDV9g=
-=MViY
+iQEcBAABCgAGBQJRF6UqAAoJEP5F5V2hilTW4WgIAL4AJ1PPxZv+AuAwxBOFgIqR
+m8tM5N9bNM+KVwBplbIpl1cP/VJFN6onDeNlEY0YlCSR/EHuCOvtjCB8AFquAy72
++zNxniM0d9zcEL0JRx2SLl44EBQOaFAYZ6VgLbkox9OuwUjSeEfdo66gfMtgdkHN
++Tl5XKjnu5cnszfBXqfHKLdSjhAYbk0TeGRicffFDLMn7jzwwmOd9uLMmG3CrPg0
+mZiZpYWoazFPDnQ+KKj12ojcUCjFc/D8Xy77e2G2PP8kVOKb79Gn6Fd+npJuXL1X
+/8Uzkrpwc3EGCpMzT0/q4EyHc35CkaFtdbAhd4n33Rob4j+yIhi0j72tttfv1Jk=
+=VFwb
 -----END PGP SIGNATURE-----

data/lib/rubygems/commands/sbuild_command.rb

@@ -1,35 +0,0 @@
-require "rubygems/command"
-require 'rubygems/version_option'
-
-# currently unimplemented.
-# This will build and sign with a single command.
-class Gem::Commands::SbuildCommand < Gem::Command # :nodoc:
-
-  include Gem::VersionOption
-
-  def initialize # :nodoc:
-    super 'sbuild', 'Build your gem, then sign it with OpenPGP'
-
-    add_version_option
-
-  end
-
-  def arguments # :nodoc:
-    "GEMNAME        name of gem to build"
-  end
-  
-  def defaults_str # :nodoc:
-    ""
-  end
-
-  def usage # :nodoc:
-    "blah blah"
-  end
-
-  def execute # :nodoc:
-    version = options[:version] || Gem::Requirement.default
-
-    raise "Not implemented yet"
-  end
-
-end

data/lib/rubygems/commands/vinstall_command.rb

@@ -1,37 +0,0 @@
-require "rubygems/command"
-require 'rubygems/version_option'
-
-# Currently unimplemented.
-# This will fetch, verify and install a gem.  Ideally it will do the
-# same with any dependencies that are downloaded, but this might be 
-# difficult in a gem.
-class Gem::Commands::VinstallCommand < Gem::Command # :nodoc:
-
-  include Gem::VersionOption
-
-  def initialize # :nodoc:
-    super 'vinstall', 'verify gem with GPG, and only install if sig check passes'
-
-    add_version_option
-
-  end
-
-  def arguments # :nodoc:
-    "GEMNAME        name of gem to build"
-  end
-  
-  def defaults_str # :nodoc:
-    ""
-  end
-
-  def usage # :nodoc:
-    "blah blah"
-  end
-
-  def execute # :nodoc:
-    version = options[:version] || Gem::Requirement.default
-
-    puts "Not implemented yet."
-  end
-
-end