signing a gem package

[Mohammad Khan]

Hello,

I would like to sign my gem package that I am going to distribute soon.
My question is, why people will trust my certificate?
How can I make my certificate trusty to people? ofcourse, without
spending any money !!


Thanks,
Mohammad

 

[Paul Duncan]

--M9bFcvWzl0n6AFYF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello,
=20
I would like to sign my gem package that I am going to distribute soon.
My question is, why people will trust my certificate?
How can I make my certificate trusty to people? ofcourse, without
spending any money !!

I had hoped some sort of Rubygems public key infrastructure (PKI) would
materialize (I talk about that a little in the gem signing documentation,=
=20
and suggested a hypothetical geographic system).

Since this One True RubyGems PKI (tm) hasn't materialized, you could
include a PGP fingerprint (or public key) in the gem itself, sign the
root issuing certificate (if there's only one certificate involved,=20
then it's self-signed, and it is the root certificate) with the PGP key,
post the signature online, and distribute your PGP public key via PGP
keyservers.

Obviously that doesn't really mitigate the trust issue; a PGP-signed
signature of an X509 certificate really only verifies that the PGP
signer is vouching for the X509 certificate in question. It doesn't
provide any indication that the PGP signer or the certificate owner is
who they say they are, is you think they are, or (most importantly)
whether you can trust either.

Unlike traditional X509-based PKI (the trust model used in Rubygems),
PGP has a distributed trust model (versus the hierarchical X509 model),
and a established decentralized key distribution infrastructure (versus
X509, which is almost always centralized).

The advantage to this method is that you're leveraging the PGP's
distributed trust PGP model for X509 certificate distribution, and the
RubyGems gem signing for simplicity (eg, once users have the X509
certificate/X509 certificate chain loaded in to rubygems, they don't
have to hand-verify each gem released by you any more).

Ultimately, trust is client-side issue. Your certificate may be signed,
verified, validated, and trusted up the wazoo, and end users still might
not trust it, for whatever reason.

Hope that helps, and sorry about the long-winded response!

Thanks,
Mohammad

--=20
Paul Duncan <[email protected]> pabs in #ruby-lang (OPN IRC)
http://www.pablotron.org/ OpenPGP Key ID: 0x82C29562

--M9bFcvWzl0n6AFYF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFDqaumzdlT34LClWIRAsqEAJ0eMq8NZf8sbpcaleS3sUmeTZRLUwCdHsD3
0rHfSTGMiO3nvWPI7gKn5/M=
=hWdE
-----END PGP SIGNATURE-----

--M9bFcvWzl0n6AFYF--