HN PSA : Check your ruby gem signatures

1 points by midas007 ↗ HN
First, props to shops that are deploying this correctly.

So I've downloaded several gems and noticed a pattern... appearance of signing without gems containing valid signatures.

A gem is basically just a tarball with no directory structure.

A signed gem looks like this:

    checksums.yaml.gz     data.tar.gz           metadata.gz
    checksums.yaml.gz.sig data.tar.gz.sig       metadata.gz.sig
An unsigned gem looks like this:

    checksums.yaml.gz     data.tar.gz           metadata.gz
Please check them before pushing to rubygems.

Thanks.

Postscriptum: Although it's not really a 0day, I've privately reported what I've found and gave ample opp'y to correct issues discovered.

0 comments

[ 3.1 ms ] story [ 12.1 ms ] thread

No comments yet.