How to cryptographically sign your RubyGem

I recently decided to distribute MetricFu as a cryptographically signed gem, using the RubyGems gemspec.

I found it really hard to find documentation, so I’m sharing what I learned.

Signing and building your gem

1) Create self-signed gem cert

cd ~/.ssh
gem cert --build your@email.com
chmod 600 gem-p*

• use the email address you specify in your gemspecs

2) Configure gemspec with cert

• Add cert public key to your repository

cd /path/to/your/gem
mkdir certs
cp ~/.ssh/gem-public_cert.pem certs/yourhandle.pem
git add certs/yourhandle.pem

I named the cert in metric_fu bf4.pem since that is my github username

• Add cert paths to your gemspec

 s.cert_chain  = ['certs/yourhandle.pem']
 s.signing_key = File.expand_path("~/.ssh/gem-private_key.pem") if $0 =~ /gem\z/

3) Add your own cert to your approved list, just like anyone else

gem cert --add certs/bf4.pem

4) Build gem and test that you can install it

gem build metric_fu.gemspec
gem install metric_fu-4.5.1.gem -P HighSecurity

Example instructions for others to install

MetricFu is cryptographically signed. To be sure the gem you install hasn’t been tampered with:

Add my public key (if you haven’t already) as a trusted certificate gem cert –add <(curl -Ls https://raw.github.com/metricfu/metric_fu/master/certs/bf4.pem) gem install metric_fu -P HighSecurity This may cause installation to fail if non-signed dependent gems are also being installed.

References:

• Signing rubygems - Pasteable instructions
• Twitter gem gemspec
• Rubygems Trust Model, doc, publishing guide
• Let’s figure out a way to start signing RubyGems
• A Practical Guide to Using Signed Ruby Gems - Part 3: Signing your Own
• Alternative: Rubygems OpenPGP signing, gem
• Also: MetricFu release task that saves a checksum of the built gem, h/t Yorick Peterese

Updates:

• 2013-11-12 Included in RubyGems guides resources page (PR)