I suggest you ...

Gem cryptographic signature status

Check gem cryptographic signatures.

There are way too many popular, unsigned gems out there. This is a security failure waiting to happen. Let's do something about it by raising visibility.

1 vote
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Anonymous shared this idea  ·   ·  Admin →

    2 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Philippe LafoucrièreAdminPhilippe Lafoucrière (CEO, Gemnasium) commented  · 

        Since there's no public repository to query and fetch developers keys, it's pretty impossible to automate the rubygems signature check.
        We have tested https://github.com/bradleybuda/bundler_signature_check without success, since this would require to maintain a full list of keys, without the ability to update (add/revoke) them automatically.
        Without a better support provided by rubygems, I don't think we can go further on this. Any idea or proposition is welcome of course, we might be wrong during our review.
        Thanks,
        Philippe

      Feedback and Knowledge Base