Ho to sign with CA Certificate (Not self-signed)?

[gkerner]

Hi,

How can I sign gem packages with CA Certificate? apparently our private key cannot be extracted from the HSM- I have the certificate only.

This issue is related to:

• Network problems
• Installing a library
• Publishing a library
• The command line gem
• [X ] Other

Here are my current environment details:

$ gem env
RubyGems Environment:
  - RUBYGEMS VERSION: 3.0.3.1
  - RUBY VERSION: 2.6.8 (2021-07-07 patchlevel 205) [x64-mingw32]
  - INSTALLATION DIRECTORY: C:/Ruby26-x64/lib/ruby/gems/2.6.0
  - USER INSTALLATION DIRECTORY: C:/Users/..../.gem/ruby/2.6.0
  - RUBY EXECUTABLE: C:/Ruby26-x64/bin/ruby.exe
  - GIT EXECUTABLE: C:\Program Files\Git\cmd/git.EXE
  - EXECUTABLE DIRECTORY: C:/Ruby26-x64/bin
  - SPEC CACHE DIRECTORY: C:/Users/.../.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: C:/ProgramData
  - RUBYGEMS PLATFORMS:
    - ruby
    - x64-mingw32
  - GEM PATHS:
     - C:/Ruby26-x64/lib/ruby/gems/2.6.0
     - C:/Users/..../.gem/ruby/2.6.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - C:\Program Files\Python310\Scripts\
     - C:\Program Files\Python310\
     - C:\Program Files\Java\jdk1.8.0_211\bin
     - C:\Windows\system32
     - C:\Windows
     - C:\Windows\System32\Wbem
     - C:\Windows\System32\WindowsPowerShell\v1.0\
     - C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps
     - C:\Dell\DELL EMC System Update
     - C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps
     - C:\Dell\DELL EMC System Update
     - C:\Program Files\SafeNet\Authentication\SAC\x64
     - C:\Program Files\SafeNet\Authentication\SAC\x32
     - C:\Program Files\Git\cmd
     - C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64
     - C:\Hlkx
     - C:\Ruby26-x64\bin
     - C:\Users\....\AppData\Local\Microsoft\WindowsApps

[simi]

Hello @gkerner.

I think you can follow guide at https://guides.rubygems.org/security/#building-gems, but instead of generating self signed cert (step 1 and partly step 2) just provide your exisitng signing_key in gemspec (last part of step 2).

[gkerner]

Thanks for your reply. It's just that the private key isn't extractable (hsm protected) and cannot be converted to pem format.

[simi]

Key is passed to OpenSSL::PKey::RSA.new at

rubygems/lib/rubygems/security/signer.rb

Line 87 in e7e1487

@key = OpenSSL::PKey::RSA.new(File.read(@key), @passphrase)

so anything OpenSSL::PKey::RSA.new accepts can be used.

Do you have any idea (example) how to use HSM with Ruby OpenSSL bindings?

[gkerner]

No, this isn't a file, but an object handler

[gkerner]

But my main question is how to "bring" this object to the signing process. mention in gemspec file?

[deivid-rodriguez]

This fit better to me as a discussion so I migrated it.

[gkerner]

Can you review my latest question? I will really appreciate your answer.

[gkerner]

?