HN PSA : Check your ruby gem signatures
First, props to shops that are deploying this correctly.
So I've downloaded several gems and noticed a pattern... appearance of signing without gems containing valid signatures.
A gem is basically just a tarball with no directory structure.
A signed gem looks like this:
checksums.yaml.gz data.tar.gz metadata.gz
checksums.yaml.gz.sig data.tar.gz.sig metadata.gz.sig
An unsigned gem looks like this: checksums.yaml.gz data.tar.gz metadata.gz
Please check them before pushing to rubygems.Thanks.
Postscriptum: Although it's not really a 0day, I've privately reported what I've found and gave ample opp'y to correct issues discovered.
0 comments
[ 3.1 ms ] story [ 12.1 ms ] threadNo comments yet.