As someone who’s responsible for a number of Ruby projects, both open-source and commercially developed, I’m always on the look out for new ways to improve how they are secured and delivered to end-users.
The most common method for delivering Ruby code to end-users is in the form of a Ruby gem. A Gem is a simple container for code and other relevant bits that can be installed by end users with a single command.
For example, if a user wants to install c7decrypt (a tool for decrypting Cisco passwords), they would install the gem like so:
$ gem install c7decrypt
It has been my experience in working with security-focused Ruby developers that the topic of “signed gems” comes up every now and again, but I always fail to make time to check it out. The reason why a developer would want to publish signed gems is because it helps ensure that the gem was not tampered with.
In this post, I'll explain how I cryptographically signed the Ruby gems that are now produced by the c7decrypt project as of version 0.3.2.