RubyGems - rubygems-openpgp - Versions diffs - 0.2.1 → 0.3.0 - Mend

rubygems-openpgp 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data.tar.gz.asc +8 -8
data/README.md +42 -228
data/lib/rubygems/commands/sign_command.rb +1 -2
data/lib/rubygems/commands/verify_command.rb +6 -2
data/lib/rubygems/gem_openpgp.rb +23 -19
data/lib/rubygems_plugin.rb +52 -2
data/test/test_rubygems-openpgp.rb +4 -3
metadata +27 -25
metadata.gz.asc +8 -8
data/lib/rubygems/commands/sbuild_command.rb +0 -35
data/lib/rubygems/commands/vinstall_command.rb +0 -37

data.tar.gz.asc CHANGED Viewed

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
+Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
-iQEcBAABAwAGBQJN5DWgAAoJEP5F5V2hilTW75IIAJUEIDelhepL1KvM42I9qHLc
-RCmO29nWOXMwHHCkTE1PGxYoOKtv3WAPpSZE8fI/oeGycXoegC5XIspwPXfW4qJD
-GIsh8bPHEVrIKWwrpO5aUgVhtHk1nkJAiwA4MMZ9LxFoBLqLQ4bKKssE37rF9nfK
-OoVqdTuXHruiro6gUcfEv/aQAign6sN7Ok0wx29tF7sw1fYzUceGpw3GKGw+zwEp
-8IvjupGu+cA49rur23Rz/Alj7zCjcRSUjqQvF62l4QEa/Z4DhCKOe5qCfb8g6HSS
-K7lpgmmnTOnIxnec/lrWF7V6s3qhZrv3GfepqNKouG6BFAuasra+ZO+Z53zgeMs=
-=nWl0
+iQEcBAABCgAGBQJRF6UkAAoJEP5F5V2hilTWp4EH/Ah94Ny5XMyjejkTuTAZPZw8
+6jG5gQ0dl5l8c6VyXgLNwSDmCt0Rj5J1ZVvkz8LXj7xJpDyXu77Gk2FCDS30R7vH
+4C3LbUdIGv5FhMGQ2CiVgPNbi8CRsNmnFg15otY782Uvu8sMbspkrVi31wFvWCz7
+Ik9tHle42aNwg5sYhYWi4gIHiLfQ3l+g6C2YJ38R/hKdU9J3Vu9RWxk3aAsSsuTp
+aEDxGvTkX+N9vUEdDIvpkZ7iuhATxiP4TpZo3vFORe0iwo44XQaZJQPb4jMKmnJt
+b9Q7a1o/WpmcPrnGDaHvsjPj4P5dFzaktDaafBCo7GUsws7JhN1sKZX1F4GSVjc=
+=FURw
 -----END PGP SIGNATURE-----

data/README.md CHANGED Viewed

@@ -1,52 +1,45 @@
 rubygems-openpgp
 ================
-This gem allows cryptographic signing of ruby gems with OpenPGP
-instead of the current method involving OpenSSL.  I think OpenPGP is a
-much better choice than X509 certificates for verifying open source
-components.
-My proposal as to why we should do so, and how to add certification
-infrastructure into place, follows.  Note this project doesn't attempt
-to address the issue of creating a ruby gem Signing Authority.
-Prerequisites
--------------
-A working installation of gpg.
+Software Assurance
+------------------
-An openpgp private key.
+To assure the validity of any software package, you need to:
-Getting Started with gpg
-------------------------
+* Verify that the package has not been corrupted or maliciously
+  tampered with by verifying the file's checksum.
-If you're unfamiliar with gpg, please read the [GNU Privacy
-Handbook](http://www.gnupg.org/gph/en/manual.html) .  If you're too
-lazy or impatient to do so, you can get started quickly by:
+* Verify that the checksum has not been tampered with by validating a
+  digital signature of that checksum.
-1. Installing the appropriate gpg package for your OS if you don't
-already have one.
+* Verify that the digital signature was produced by the package's
+  publisher by authenticating the public key that was used to generate
+  the digital signature.
-1. Running `gpg --gen-key` to create your key.
+If you can't do this, you can't verify the integrity of the package.
-If you use this key for anything more than a few local tests, please:
+This gem allows cryptographic signing of ruby gems with OpenPGP
+instead of the current built-in signing method involving X.509.
-1. Publish your public key so others can retrieve it.
-   `gpg --keyserver pool.sks-keyservers.net --send-keys <your-new-key-id>`
+[Read more about why we should use OpenPGP.](./doc/motivation.md)
+Here's the [slides](http://bit.ly/TUtT3S) and
+[video](http://vimeo.com/album/2255908/video/59297058) from a
+lightning talk I did at [Pittsburgh.rb](http://pghrb.heroku.com/).
+Prerequisites
+-------------
-1. Backup your private key.  It's irretrievable if lost or corrupted.
+A working installation of gpg.
-1. Generate a revocation certificate.  This allows you to invalidate a
-key if a malicious user gains access.
+An OpenPGP private key is required to sign gems, but not to verify.
-1. Read the GNU Privacy Handbook above.
+[Getting started with gpg.](./doc/getting-started-with-gpg.md)
 Signing example
 ---------------
-        gem build openpgp_signed_hola.gemspec
-        gem sign openpgp_signed_hola-0.0.0.gemspec
-        gem push opnepgp_signed_hola-0.0.0.gemspec
+    gem build openpgp_signed_hola.gemspec --sign
+    gem push opnepgp_signed_hola-0.0.0.gem
 Verification Example
 --------------------
@@ -54,209 +47,30 @@ Verification Example
 A test gem **openpgp_signed_hola** is on rubygems.org.  To try out
 this extension:
-        gem fetch openpgp_signed_hola
-        gem verify openpgp_signed_hola-0.0.0.gem
-        gem install openpgp_signed_hola-0.0.0.gem
+    gem install openpgp_signed_hola-0.0.0.gem --verify
 But That Just Failed!
 ---------------------
-The first time you do this, the `gem verify` command will probably
-fail.  This is because you don't have my public key.  To automatically
-retrieve the key from the keyservers, run:
-        gem verify --get-key openpgp_signed_hola-0.0.0.gem
-The key will be automatically downloaded, and verification should now
-succeed.
-There are security implications here.  You've downloaded the key based
-on the information contained in the gem itself.  If a malicious user
-has tampered with the gem, they could easily provide a forged OpenPGP
-key as well.  This is why your output includes the following warning:
-        gpg: WARNING: This key is not certified with a trusted signature!
-        gpg:          There is no indication that the signature belongs to the owner.
-You still don't know if this key *really* belongs to me.  If possible,
-you should verify the key signature through an out-band-channel.  This
-may be the project page, a release email from the author, or some
-other means.
-For example, you can obtain the fingerprint on my key from [my
-personal website](http://www.grant-olson.net/openpgp-key).
-I've also included it right here in the README hosted on github:
-        pub   2048R/E3B5806F 2010-01-11 [expires: 2012-01-04]
-              Key fingerprint = A530 C31C D762 0D26 E2BA  C384 B6F6 FFD0 E3B5 806F
-        uid                  Grant T. Olson (Personal email) <kgo@grant-olson.net>
-        uid                  Grant T. Olson (pikimal) <grant@pikimal.com>
-        sub   2048R/6A8F7CF6 2010-01-11 [expires: 2012-01-04]
-        sub   2048R/A18A54D6 2010-03-01 [expires: 2012-01-04]
-        sub   2048R/D53982CE 2010-08-31 [expires: 2012-01-04]
-Even better would be obtaining the key fingerprint from me personally,
-but this can often be impractical.
-In any case, you should verify the key fingerprint listed in the
-message from one of these alternate sources.  If they match, the
-signature is (hopefully) valid, assuming an attacker hasn't managed to
-compromise rubygems, github, and my personal website.
-If the fingerprints DO NOT match, you probably want to delete the
-invalid key from your keyring:
-        gpg --delete-key <<KEY_ID>>
-If you feel confident that the key is valid based on your external
-fingerprint checks, you can make a signature on your gpg keyring.  I
-would advise making a local signature unless you've validated the
-fingerprint in person.  This means that you feel confident that the
-key is valid, but you're not making any representations to the outside
-world.  To do so, run:
-        gpg --lsign <<KEY_ID>>
-After this, you will no longer receive WARNINGs about untrusted
-sources for any gems signed by this key/author.
-Unfortunately, authentication is a hard problem.  See my proposal
-below for a potential solution to provide reasonable assurances about
-key validity without having to manually confirm everything.
-Motivation
-----------
-### Why we should sign gems with gpg
-Gems are currently signed via X509 certificates generated by OpenSSL.
-I don't think X509 signatures are the way to go.  I think we should use
-OpenPGP signatures instead.
-1. Self-signed X509 certificates are basically worthless.  There's no
-easy way to verify that the key is legitimate.  OpenPGP certificates
-are designed to be generated by you, and then signed by other people
-to validate their authenticity.
-2. Setting up an X509 CA will take some resources.  OpenPGP already
-has a dedicated pool of servers run by volunteers at
-pool.sks-keyservers.net.
-3. The current generation policy isn't so good.  Your private key
-isn't encrypted.  It's a strange file in a strange location that could
-easily be lost.  In gpg, all files are stored in ~/.gnupg.  Private
-keys are encrypted by default.
-4. gpg has better tooling and documentation than openssl.  There are
-plenty of things like Seahorse or GPA to examine your keys.  Policies
-are documented and explained.
-5. gpg allows the user to decide their default threat model and key
-verification model.  X509 assumes you trust the powers that be.
-6. The OpenPGP certificate will (optionally) be tied to the owner's
-real life id, if (for example) they sign release emails, use git's
-signing functionality on release tags, sign binary releases.  This
-makes it easier to verify that the key isn't forged.  (See trust model
-3 below.)
-The way I envision it, a gem maintainer would generate and publish a
-key with gpg if they didn't already have one.  He would put the key id
-in the gem configuration file.  When he builds the gem, gpg kicks in
-and signs it.
-An end user who wants to verify the key runs a command after fetching
-the gem.  If they have the key, we run gpg and verify the signature.
-If not, we provide the key id so they can download it manually with
-gpg.
-The code to implement this should be pretty simple.
-### Authenticating keys / Certificate authority
-With gpg, the user can determine their trust model.
-1. The current model.  The user doesn't care.  They don't check gpg
-sigs.  All is well.  I imagine this will still be the model used by a
-strong majority of users.
-2. The user uses the OpenPGP web of trust.  To be honest, this is a
-PITA.  It involves getting into the strong set by meeting people in
-person and exchanging key fingerprints to make sure that there's no
-man-in-the-middle attack.  And even if the user is in the strong set,
-there's no guarantee the gem maintainer is.
-3. Continuity model.  I downloaded the signing key for Ubuntu about four
-releases ago.  Even though I haven't done full verification, there
-haven't been any reports of problems, and the next three releases were
-signed by the same key.  If the key changed and gpg couldn't verify the
-next Ubuntu release, it would raise some eyebrows.  You can use the same
-philosophy with gems.
-4. Simulated CA.  Similar to the way a distributed source control system
-can be used as a centralized system, the OpenPGP web of trust can be
-setup to act as if there's a certificate authority.
-For an example of option 4, look at the PGP Corp Global Directory[1].
-You go to the website and submit your public key.  It sends you an email
-that you need to reply to.  If you reply, signs your key and
-publishes the information.  If another user trusts the Global Directory
-key, they will now trust your key.
-Technically, this is subject to a man-in-the-middle attack.  But it's
-the same policy that gets used when I forget my password at something
-like Amazon.  And Amazon has my credit card info.  I think the
-procedure is valid against all but the most exotic attacks as long as
-its limitations are known and documented.
-[For conciseness' sake, I'm just going to pretend we've agreed that
-rubygems.org is the Signing Authority.  It will probably be a more
-beta application, at least at first.  Right now I'm more concerned
-with presenting the model.]
-rubygems.org could:
-1. Allow gem publisher to upload a private key from their account page.
-2. Upon receipt of key, send an email to the gem publisher's email
-containing an encrypted token.
-3. The gem publisher decrypts the token,
-4. The gem publisher posts the decrypted token onto a form at the
-website and submits.  This establishes the gem publisher has control of
-(a) the email address, and (b) the OpenPGP key.  (Excluding a possible
-mitm at the network level.)
-5. rubygems.org signs the key with it's own signing key, possibly with a
-6 month or 1 year expiration date.
-6. The new signature is submitted to the keyservers at
-pool.sks-keyservers.net, making the verification available world-wide.
+You probably don't have my public key yet.  You need my public key to
+verify the digital signature.  You also want to perform some
+authentication of that public key.
-Now an unrelated gem user can configure gpg to trust the rubygems
-signing key.  When they download the gem from above and retrieve the gem
-publisher's key, they will see that the key is valid because it's
-trusted by rubygems.  If it's not trusted, it's up to User B to
-investigate and determine if they trust the gem or not.
+[Notes on retrieving and authenticating public keys.](./doc/retrieving-and-authenticating-keys.md)
-Note that the relationship between these keys isn't contained in the
-gem.  It's contained on the keyservers.  If another website or mirror
-provides the same gem with the same signature, it will still show up as
-valid, assuming the gem user trusts the rubygems.org signing key.
+Verifying your initial install
+------------------------------
-### In the year 2038
+All versions of this gem should be signed.  But the first time you
+install the package you run into a bit of a chicken-and-the-egg
+problem.  You can't verify the package until you've installed a copy.
+But if that copy isn't verified, if could already be compromised.
-Assuming all goes well, most people are signing their gems, and the
-community likes the feature, we could configure a keyring for use by
-gems only, similar to the way apt-get maintains its own keyring.
+But don't worry.  You can use a stand-alone signature to verify your
+initial install.  Since the stand-alone signature is on github, and
+the software package is on rubygems.org, a malicious user would need
+to compromise both sites to publish a compromised gem and
+compromised/forged digital signature.
-This keyring would automatically include the rubygems.org signing key on
-installation.  When downloading a new gem, verification will happen
-automatically.  If the key isn't on the gem keyring it will be
-downloaded automatically.  If the key isn't trusted, the user will
-receive a warning and asked if they want to continue.  If the signature
-check fails, the gem will not be installed.
+[Notes on verifying the initial install.](./doc/verifying-initial-install.md)
-[1] https://keyserver.pgp.com/vkd/GetWelcomeScreen.event

data/lib/rubygems/commands/sign_command.rb CHANGED Viewed

@@ -38,8 +38,7 @@ class Gem::Commands::SignCommand < Gem::Command
   def execute  # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-    output = Gem::OpenPGP.sign_gem gem, key=options[:key]
-    say output.join("\n")
+    Gem::OpenPGP.sign_gem gem, key=options[:key]
   end
 end

data/lib/rubygems/commands/verify_command.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'rubygems/command'
 require 'rubygems/package'
+require 'rubygems/user_interaction'
 require 'rubygems/version_option'
 require 'rubygems/gem_openpgp'
@@ -12,6 +13,7 @@ require 'rubygems/gem_openpgp'
 class Gem::Commands::VerifyCommand < Gem::Command
   include Gem::VersionOption
+  include Gem::UserInteraction
   def initialize # :nodoc:
     super 'verify', 'Verifies a local gem that has been signed via OpenPGP.  This helps to ensure the gem has not been tampered with in transit.'
@@ -39,8 +41,10 @@ class Gem::Commands::VerifyCommand < Gem::Command
   def execute # :nodoc:
     version = options[:version] || Gem::Requirement.default
     gem, specs = get_one_gem_name, []
-    output = Gem::OpenPGP.verify_gem gem, get_key=options[:get_key]
-    say output.join("\n")
+    Gem::OpenPGP.verify_gem gem, get_key=options[:get_key]
+  rescue Gem::OpenPGPException => ex
+    alert_error(ex.message)
+    terminate_interaction(1)
   end
 end

data/lib/rubygems/gem_openpgp.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 require 'rubygems'
 require 'rubygems/package'
+require 'rubygems/user_interaction'
+require 'shellwords'
 require 'open3'
 require 'tempfile'
@@ -9,6 +11,8 @@ class Gem::OpenPGPException < RuntimeError; end
 # A wrapper that shells out the real OpenPGP crypto work
 # to gpg.
 module Gem::OpenPGP
+  extend Shellwords
+  extend Gem::UserInteraction
   # Given a string of data, generate and return a detached
   # signature.  By defualt, this will use your primary secret key.
@@ -20,10 +24,10 @@ module Gem::OpenPGP
     is_homedir_valid homedir if homedir
     key_flag = ""
-    key_flag = "-u #{key_id}" if key_id
+    key_flag = "-u #{shellescape(key_id)}" if key_id
     homedir_flag = ""
-    homedir_flag = "--homedir #{homedir}" if homedir
+    homedir_flag = "--homedir #{shellescape(homedir)}" if homedir
     cmd = "gpg #{key_flag} #{homedir_flag} --detach-sign --armor"
     sig, err = run_gpg_command cmd, data
@@ -61,8 +65,6 @@ module Gem::OpenPGP
   # Optional param "key" allows you to use a different private
   # key than the GPG default.
   def self.sign_gem gem, key=nil, homedir=nil
-    output = []
     unsigned_gem = gem + ".unsigned"
     begin
@@ -77,14 +79,14 @@ module Gem::OpenPGP
     signed_gem = Gem::Package::TarWriter.new(signed_gem_file)
     Gem::Package::TarReader.new(unsigned_gem_file).each do |f|
-      output << f.full_name.inspect
+      say(f.full_name.inspect)
       if f.full_name[-4..-1] == ".asc"
-        output << "Skipping old signature file #{f.full_name}"
+        say("Skipping old signature file #{f.full_name}")
         next
       end
-      output << "Signing #{f.full_name.inspect}..."
+      say("Signing #{f.full_name.inspect}...")
       file_contents = f.read()
@@ -102,7 +104,6 @@ module Gem::OpenPGP
     unsigned_gem_file.close
     File.delete unsigned_gem_file
-    output
   rescue Exception => ex
     if unsigned_gem_file
       FileUtils.mv unsigned_gem_file, gem
@@ -112,7 +113,6 @@ module Gem::OpenPGP
   end
   def self.verify_gem gem, get_key=false, homedir=nil
-    output =[]
     begin
       file = File.open(gem,"r")
@@ -128,28 +128,28 @@ module Gem::OpenPGP
     tar_files.keys.each do |file_name|
       next if file_name[-4..-1] == ".asc"
-      output << "Verifying #{file_name}..."
+      say "Verifying #{file_name}..."
       sig_file_name = file_name + ".asc"
       if !tar_files.has_key? sig_file_name
-        output << "WARNING!!! No sig found for #{file_name}"
-        next
+        say add_color("WARNING!!! No sig found for #{file_name}", :red)
+        raise Gem::OpenPGPException, "Can't verify without sig, aborting!!!"
       end
       begin
         err, res = Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
-        output << add_color(err, :green)
-        output << add_color(res, :green)
+        say add_color(err, :green)
+        say add_color(res, :green)
       rescue Gem::OpenPGPException => ex
         color_code = "31"
-        output << add_color(ex.message, :red)
+        say add_color(ex.message, :red)
+        raise
       end
     end
-    file.close
-    output
+  ensure
+    file.close unless file.nil?
   end
 private
@@ -209,5 +209,9 @@ private
     #TODO - NO-OP on windows
     "\033[#{color_code}m#{s}\033[0m"
   end
+  def self.options
+    @options ||= {}
+    @options
+  end
 end

data/lib/rubygems_plugin.rb CHANGED Viewed

@@ -1,6 +1,56 @@
 require 'rubygems/command_manager'
+require 'rubygems/gem_openpgp'
 Gem::CommandManager.instance.register_command :sign
 Gem::CommandManager.instance.register_command :verify
-#Gem::CommandManager.instance.register_command :vinstall
-#Gem::CommandManager.instance.register_command :sbuild
+# gem build hooks
+b = Gem::CommandManager.instance[:build]
+b.add_option("--sign", "Sign gem with OpenPGP.") do |value, options|
+  Gem::OpenPGP.options[:sign] = true
+end
+b.add_option('--key KEY', "Specify key id if you don't want to use your default gpg key") do |key, options|
+  Gem::OpenPGP.options[:key] = key
+end
+class Gem::Commands::BuildCommand
+  alias_method :original_execute, :execute
+  def execute
+    original_execute
+    if Gem::OpenPGP.options[:sign]
+      gemspec = get_one_gem_name
+      if File.exist? gemspec then
+        spec = Gem::Specification.load gemspec
+        file_name = File.join(".", File.basename(spec.cache_file))
+        Gem::OpenPGP.sign_gem file_name, key=Gem::OpenPGP.options[:key]
+      end
+    end
+  end
+end
+# gem install hooks
+i = Gem::CommandManager.instance[:install]
+i.add_option("--verify",
+             'Verifies a local gem that has been signed via OpenPGP.' +
+             'This helps to ensure the gem has not been tampered with in transit.') do |value, options|
+  Gem::OpenPGP.options[:verify] = true
+end
+i.add_option('--get-key', "If the key is not available, download it from a keyserver") do |key, options|
+  Gem::OpenPGP.options[:get_key] = true
+end
+Gem.pre_install do |installer|
+  begin
+    if Gem::OpenPGP.options[:verify]
+      Gem::OpenPGP.verify_gem(installer.gem,
+                              Gem::OpenPGP.options[:get_key])
+    end
+  rescue Gem::OpenPGPException => ex
+    installer.alert_error(ex.message)
+    installer.terminate_interaction(1)
+  end
+end

data/test/test_rubygems-openpgp.rb CHANGED Viewed

@@ -20,8 +20,9 @@ class RubygemsPluginTest < Test::Unit::TestCase
   def test_gem_sign_and_verify
     in_tmp_gpg_homedir do |gpg_home|
-      res = Gem::OpenPGP.verify_gem UNSIGNED_GEM, false, gpg_home
-      assert_match(/WARNING!!!/, res.join("\n"))
+      assert_raise Gem::OpenPGPException do
+        Gem::OpenPGP.verify_gem UNSIGNED_GEM, false, gpg_home
+      end
       FileUtils.cp UNSIGNED_GEM, SIGNED_GEM
@@ -31,7 +32,7 @@ class RubygemsPluginTest < Test::Unit::TestCase
       end
     end
   ensure
-    File.delete SIGNED_GEM
+    File.delete(SIGNED_GEM) if File.exists?(SIGNED_GEM)
   end
   def test_basic_sign_and_verify

metadata CHANGED Viewed

@@ -1,30 +1,31 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification
 name: rubygems-openpgp
-version: !ruby/object:Gem::Version
-  version: 0.2.1
+version: !ruby/object:Gem::Version
   prerelease:
+  version: 0.3.0
 platform: ruby
-authors:
+authors:
 - Grant Olson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-05-30 00:00:00.000000000 -04:00
-default_executable:
+date: 2013-02-10 00:00:00 Z
 dependencies: []
 description: Digitally sign gems via OpenPGP instead of OpenSSL
 email: kgo@grant-olson.net
 executables: []
 extensions: []
-extra_rdoc_files:
+extra_rdoc_files:
 - README.md
-files:
+files:
 - LICENSE
 - Rakefile
 - lib/rubygems_plugin.rb
 - lib/rubygems/commands/verify_command.rb
-- lib/rubygems/commands/vinstall_command.rb
-- lib/rubygems/commands/sbuild_command.rb
 - lib/rubygems/commands/sign_command.rb
 - lib/rubygems/gem_openpgp.rb
 - README.md
@@ -32,33 +33,34 @@ files:
 - test/pablo_escobar_seckey.asc
 - test/pablo_escobar_pubkey.asc
 - test/unsigned_hola-0.0.0.gem
-has_rdoc: true
 homepage: https://github.com/grant-olson/rubygems-openpgp
-licenses:
+licenses:
 - BSD 3 Clause
 post_install_message:
 rdoc_options: []
-require_paths:
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: "0"
 requirements: []
 rubyforge_project:
-rubygems_version: 1.6.2
+rubygems_version: 1.8.24
 signing_key:
 specification_version: 3
 summary: Sign gems via OpenPGP
-test_files:
+test_files:
 - test/test_rubygems-openpgp.rb
 - test/pablo_escobar_seckey.asc
 - test/pablo_escobar_pubkey.asc

metadata.gz.asc CHANGED Viewed

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.10 (GNU/Linux)
+Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
-iQEcBAABAwAGBQJN5DWkAAoJEP5F5V2hilTWHz8H/0Gw0Duf+dF97x6uiLCoviKg
-2Vq/Ok1oKgsE9WIh03wzs7mFCjIAyxttOm/hJJiUaiubyn/4KxiboLbJYq+ilJGN
-EMQA60jwEJ4+tKUh07CwNWlku2hXn7qduHjGLQxhpDXWLoxQe6MAmadlQnevIrYd
-I7TduvWa4MpkJnu7ChxS3nm0bO6EmLFYoRy/qR8h3uqch8L+QQDc+JaCtlebTwag
-gAF9iZFj8IoodH2UICAyfMG8UT7Gztw7ydxxgcuymUJmxR6VqpIFJWcG3KBQ7Il5
-pBK9xoc6U5Bxt0+EqTym4TTXttF9o7INRMvLbCQKsP861NWaPOGCiIMegAUDV9g=
-=MViY
+iQEcBAABCgAGBQJRF6UqAAoJEP5F5V2hilTW4WgIAL4AJ1PPxZv+AuAwxBOFgIqR
+m8tM5N9bNM+KVwBplbIpl1cP/VJFN6onDeNlEY0YlCSR/EHuCOvtjCB8AFquAy72
++zNxniM0d9zcEL0JRx2SLl44EBQOaFAYZ6VgLbkox9OuwUjSeEfdo66gfMtgdkHN
++Tl5XKjnu5cnszfBXqfHKLdSjhAYbk0TeGRicffFDLMn7jzwwmOd9uLMmG3CrPg0
+mZiZpYWoazFPDnQ+KKj12ojcUCjFc/D8Xy77e2G2PP8kVOKb79Gn6Fd+npJuXL1X
+/8Uzkrpwc3EGCpMzT0/q4EyHc35CkaFtdbAhd4n33Rob4j+yIhi0j72tttfv1Jk=
+=VFwb
 -----END PGP SIGNATURE-----

data/lib/rubygems/commands/sbuild_command.rb DELETED Viewed

@@ -1,35 +0,0 @@
-require "rubygems/command"
-require 'rubygems/version_option'
-# currently unimplemented.
-# This will build and sign with a single command.
-class Gem::Commands::SbuildCommand < Gem::Command # :nodoc:
-  include Gem::VersionOption
-  def initialize # :nodoc:
-    super 'sbuild', 'Build your gem, then sign it with OpenPGP'
-    add_version_option
-  end
-  def arguments # :nodoc:
-    "GEMNAME        name of gem to build"
-  end
-  def defaults_str # :nodoc:
-    ""
-  end
-  def usage # :nodoc:
-    "blah blah"
-  end
-  def execute # :nodoc:
-    version = options[:version] || Gem::Requirement.default
-    raise "Not implemented yet"
-  end
-end

data/lib/rubygems/commands/vinstall_command.rb DELETED Viewed

@@ -1,37 +0,0 @@
-require "rubygems/command"
-require 'rubygems/version_option'
-# Currently unimplemented.
-# This will fetch, verify and install a gem.  Ideally it will do the
-# same with any dependencies that are downloaded, but this might be
-# difficult in a gem.
-class Gem::Commands::VinstallCommand < Gem::Command # :nodoc:
-  include Gem::VersionOption
-  def initialize # :nodoc:
-    super 'vinstall', 'verify gem with GPG, and only install if sig check passes'
-    add_version_option
-  end
-  def arguments # :nodoc:
-    "GEMNAME        name of gem to build"
-  end
-  def defaults_str # :nodoc:
-    ""
-  end
-  def usage # :nodoc:
-    "blah blah"
-  end
-  def execute # :nodoc:
-    version = options[:version] || Gem::Requirement.default
-    puts "Not implemented yet."
-  end
-end