Please Sign This Gem To Allow Verified Installations

[jfelchner]

There are a lot of attacks that deal with spoofing dependencies and other supply chain attacks. Because thor is one of the most popular gems (and is a foundation for a lot of CLI-based apps), I think it makes sense to sign the gem releases so that users can be sure we're getting the genuine article.

By signing thor, any gem that depends on it can be installed with HighSecurity enabled.

This should be fairly trivial since thor has no runtime dependencies.

This is an older but still accurate step-by-step guide on how to do it.

[rafaelfranca]

We will sign this gem when Rubygems have a good way to sign gems. As it doesn't have yet, I'll mark this closed, but I'll make sure we work in improving how Rubygems sign gems.

[jfelchner]

@rafaelfranca I don't understand "a good way to sign gems" can you elaborate? I sign all my gems. It's part of the build process. It's very easy.

[jfelchner]

https://guides.rubygems.org/security/

[rafaelfranca]

rubygems/rfcs#37

Perhaps for a single person gem the approach of using certificates to sign gem is ok. But for a gem like Thor, that have several maintainer, passing a private certificate around is prone to so many attack vectors, that isn't worthy doing.