sodium 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +8 -0
- data/README.md +22 -0
- data/VERSION +1 -1
- data/sodium.gemspec +9 -2
- metadata +1 -1
- metadata.gz.sig +0 -0
data.tar.gz.sig
CHANGED
|
Binary file
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -66,6 +66,26 @@ echo gem 'sodium' >> Gemfile
|
|
|
66
66
|
bundle
|
|
67
67
|
```
|
|
68
68
|
|
|
69
|
+
### Signed Gem
|
|
70
|
+
|
|
71
|
+
As of version 0.6.0, the `sodium` gem will be signed with the project's public key. Ruby support for gem signatures is still in its infancy, but it is functional. You must install our certificate before you can verify the gem signature. Start by downloading the certificate and verifying its checksum.
|
|
72
|
+
|
|
73
|
+
```sh
|
|
74
|
+
curl -O https://raw.github.com/stouset/sodium/master/certs/sodium@touset.org.cert
|
|
75
|
+
shasum -a 256 --check <(echo "6c731e7872dbfab18397d62ee9aa1215ef186a5f31358d1f041faa49301624a6 sodium@touset.org.cert")
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
Of course, if our GitHub repo has been compromised, someone can easily replace both the key in the repo and the checksum in these directions. Like I said, gem signatures are still in their infancy. I encourage you to verify this signature through alternate channels. For instance, you can at least examine the git history of the file, and ensure it hasn't been changed (unless otherwise announced).
|
|
79
|
+
|
|
80
|
+
Once you have the certificate and have confirmed its correctness to your satisfaction, install it and then the gem.
|
|
81
|
+
|
|
82
|
+
```sh
|
|
83
|
+
gem cert -a sodium@touset.org.cert
|
|
84
|
+
gem install sodium -P HighSecurity
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
Verifying the gem signature when using [bundler][bundler] is substantially more difficult and will not be covered here until it becomes more practical. If you're curious, feel free to read the [relevant literature][bundler-gem-signatures].
|
|
88
|
+
|
|
69
89
|
Documentation
|
|
70
90
|
-------------
|
|
71
91
|
|
|
@@ -109,3 +129,5 @@ Fork, commit, push. Submit pull request. When possible, try and follow existing
|
|
|
109
129
|
[example-asymmetric-signatures]: examples/TODO
|
|
110
130
|
|
|
111
131
|
[gpg-key]: certs/sodium@touset.org.pub.gpg
|
|
132
|
+
|
|
133
|
+
[bundler-gem-signatures]: http://blog.meldium.com/home/2013/3/3/signed-rubygems-part
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
0.6.
|
|
1
|
+
0.6.1
|
data/sodium.gemspec
CHANGED
|
@@ -23,6 +23,13 @@ Gem::Specification.new do |gem|
|
|
|
23
23
|
gem.add_development_dependency 'minitest', '~> 5'
|
|
24
24
|
gem.add_development_dependency 'version', '~> 1'
|
|
25
25
|
|
|
26
|
-
gem
|
|
27
|
-
|
|
26
|
+
# bundler tries to build the gem on load, so only sign if the key is
|
|
27
|
+
# present; however, we still warn just in case we're legitimately
|
|
28
|
+
# packaging the gem for release but they key isn't available
|
|
29
|
+
if File.exist?('/Volumes/Sensitive/Keys/Gems/sodium@touset.org.key')
|
|
30
|
+
gem.signing_key = '/Volumes/Sensitive/Keys/Gems/sodium@touset.org.key'
|
|
31
|
+
gem.cert_chain = [ 'certs/sodium@touset.org.cert' ]
|
|
32
|
+
else
|
|
33
|
+
warn 'Building the sodium gem without a signature...'
|
|
34
|
+
end
|
|
28
35
|
end
|
metadata
CHANGED
metadata.gz.sig
CHANGED
|
Binary file
|