Skip to content

feat: sign gems #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fauno wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: sign gems #68

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
55383ac
feat: sign gems
fauno Jan 7, 2025
5b838f4
fix: raise errors correctly
fauno Jan 9, 2025
e0ea7c4
fix: files must exist
fauno Jan 9, 2025
dd68bfa
fix: both signing options need to be provided
fauno Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions lib/rubygems/commands/compile_command.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ def initialize
mode = ABIs[value]
unless mode
valid = ABIs.keys.sort
raise OptionParser::InvalidArgument, "#{value} (#{valid.join ', '} are valid)"
raise Gem::OptionParser::InvalidArgument, "#{value} (#{valid.join ', '} are valid)"
end

options[:abi_lock] = mode
Expand All @@ -54,13 +54,29 @@ def initialize
end
end

add_option "-s", "--sign [PRIVATE_KEY]", "Sign gems" do |private_key_file, options|
options[:sign_private_key_file] = File.expand_path(private_key_file).tap do |f|
next if File.exist? f

raise Gem::OptionParser::InvalidArgument, "#{private_key_file} must exist"
end
end

add_option "-c", "--cert [CERT]", "Certificate" do |cert_file, options|
options[:sign_cert_file] = File.expand_path(cert_file).tap do |f|
next if File.exist? f

raise Gem::OptionParser::InvalidArgument, "#{cert_file} must exist"
end
end

add_option "--build-number NUMBER",
"Append build number to compiled Gem version" do |value, options|

begin
options[:build_number] = Integer(value).abs
rescue ArgumentError
raise OptionParser::InvalidArgument, "must be a number"
raise Gem::OptionParser::InvalidArgument, "must be a number"
end
end
end
Expand All @@ -87,4 +103,12 @@ def execute
compiler = Gem::Compiler.new(gemfile, options)
compiler.compile
end

def handle_options(args)
super.tap do |f|
next if options.key?(:sign_cert_file) && options.key?(:sign_private_key_file)

raise Gem::OptionParser::MissingArgument, "Both --cert and --sign options need to be provided"
end
end
end
5 changes: 5 additions & 0 deletions lib/rubygems/compiler.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,11 @@ def adjust_gemspec_files(gemspec, artifacts)
gemspec.files.reject! { |f| !File.exist?("#{target_dir}/#{f}") }
end

if @options[:sign_private_key_file]
gemspec.cert_chain = [@options[:sign_cert_file]]
gemspec.signing_key = @options[:sign_private_key_file]
end
Comment on lines +71 to +74
Copy link
Owner

@luislavena luislavena Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I understand of this, if you provide --sign via the CLI, it then will take whatever is the value of @options[:sign_cert_file] as part of the chain, but that option is not validated.

Is OK for the gemspec to have a cert_chain with [nil] in it?

If not, then --cert must be required once --sign is used and thus, require validation.

Copy link
Author

@fauno fauno Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, currently you would have an exception thrown because the cert isn't valid. I'll provide an error message!

Copy link
Author

@fauno fauno Jan 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!


# add discovered artifacts
artifacts.each do |path|
# path needs to be relative to target_dir
Expand Down