Gem cryptographic signature status
Check gem cryptographic signatures.
There are way too many popular, unsigned gems out there. This is a security failure waiting to happen. Let's do something about it by raising visibility.
Since there's no public repository to query and fetch developers keys, it's pretty impossible to automate the rubygems signature check.
We have tested https://github.com/bradleybuda/bundler_signature_check without success, since this would require to maintain a full list of keys, without the ability to update (add/revoke) them automatically.
Without a better support provided by rubygems, I don't think we can go further on this. Any idea or proposition is welcome of course, we might be wrong during our review.
Could explain a bit more what you have in mind?
Display an icon neat the gem name to determine if the gem is signed?