You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Jeff Felchner edited this page Apr 24, 2016
·
4 revisions
First:
geminstallruby-progressbar
Then in your script:
require'ruby-progressbar'
or in your Gemfile
gem'ruby-progressbar'
or from IRB
irb -r'ruby-progressbar'
Gem Signing
Recently there was a vulnerability found in Rubygems which could have allowed
gems with dashes in their names (like this one) to be replaced on a server
without anyone knowing. Because ruby-progressbar is a very popular library,
I decided to take the time to make sure that, should my users choose, they would
never have to worry about that for my gems.
From 1.8.0 forward, I'll begin cryptographically signing each of my releases
with my private key. My public key will be available on the repo
for anyone to access at any time.
There are only two steps required for you to securely install this gem:
Install the gem by telling Rubygems to verify the signature
gem install ruby-progressbar -P HighSecurity
The MediumSecurity trust profile will verify signed gems, but allow the
installation of unsigned dependencies. Because ruby-progressbar has no
dependencies, you can install it with HighSecurity.
Checksums
In addition to signing each release, I'll commit the checksums for each release to the repo and
they too will be publicly available.
A simple curl command is all that's required to get the verifiable checksum for any release:
Simply replace the version number with the version you'd like to verify and the extension with the algorithm you'd like to verify against.
Available Algorithms
SHA512 - .sha512
SHA256 - .sha256
MD5 - .md5
Commit Signing
Of course the checksums only work if it was actually I who added them to the repo, so if you want to be 100% sure that the commit that added the checksums was done by me, all you have to do is look for the "Verified" tag next to the commit. I sign every one of my commits with my GPG key, including those that add checksums to the repo.
