Adding Signing key path to gemspec #101
Conversation
VijayanB
added
the
Infrastructure
naveentatikonda
force-pushed
the
add_signing_key_path
branch
2 times, most recently
from
e9f6e60 to
46b5dcb
Compare
| @@ -18,7 +20,10 @@ Gem::Specification.new do |s| | |||
| # Tests | |||
| s.test_files = s.files.grep(%r{^(test|spec|features)/}) | |||
|
|
|||
| s.cert_chain = ['certs/opensearch-rubygems.pem'] | |||
| if $PROGRAM_NAME.end_with?("gem") && ARGV == ["build", __FILE__] && File.exist?(signing_key_path) | |||
There was a problem hiding this comment.
@naveentatikonda Could you explain what this is doing? Im not very familiar with gem signing.
There was a problem hiding this comment.
To avoid security issues while installing gems where if we install any malicious gem without knowing its credibility, the gem author can penetrate into that server. To avoid this, the RubyGems has an ability to sign the gems where the signing data is included as part of the gem. So that the end user can verify the signing key before installing the gem.
There was a problem hiding this comment.
I am still confused by this is going from being not conditional to conditional on who's calling.
There was a problem hiding this comment.
Certificate is useful only if we are signing the gems. Hence, we moved this attribute to be added only if signing key exists and is being called by gem build command.
|
@naveentatikonda can you rebase this change? Link checker should succeed. |
Signed-off-by: Naveen Tatikonda <navtat@amazon.com>
naveentatikonda
force-pushed
the
add_signing_key_path
branch
from
46b5dcb to
50d85b3
Compare
Signed-off-by: Naveen Tatikonda navtat@amazon.com
Description
Adding signing key path to gemspec
Issues Resolved
#100
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.