feat: sign gems

[fauno]

adds gem signing to gem-compiler

https://guides.rubygems.org/security/

[luislavena]

Hello @fauno, thank you for your PR. I have some comments on it that could possibly require changes.

As I'm not familiar with recent RubyGems developments around signing, it will be great if you can provide a bit more verbose context/background on the feature and the expected behavior.

Thank you.

[luislavena]

From what I understand of this, if you provide --sign via the CLI, it then will take whatever is the value of @options[:sign_cert_file] as part of the chain, but that option is not validated.

Is OK for the gemspec to have a cert_chain with [nil] in it?

If not, then --cert must be required once --sign is used and thus, require validation.

[fauno]

Yeah, currently you would have an exception thrown because the cert isn't valid. I'll provide an error message!

[fauno]

Done!

[fauno]

As I'm not familiar with recent RubyGems developments around signing, it will be great if you can provide a bit more verbose context/background on the feature and the expected behavior.

With gem cert you can manage self-signed certs for your email and use it to sign gems. To actually verify the gems you need to add the cert to your cert store and use -P HighSecurity so it fails when it can verify signatures.

This PR allows gem compile to sign gems, not many gems are actually signed (I remember reading someone's trying to solve this). In our case it allows to verify gems from our repository.