-
SSH is such a different use case that the analogies break down. With respect, thinking about this for a few minutes should convince you that while TOFU works fine for immutable artifact signatures, it is unworkable for a system where you ever upgrade packages.
Consider that most nontrivial projects on rubygems have multiple maintainers that can publish a version. Normal collaboration models would imply that they each have a personal signing key; sharing a single signing key per project isn’t realistic (as you mentioned, rotation is another reason for this). And TOFU doesn’t work when there are multiple possible keys, such a system requires an external trust chain.
Assume for the sake of argument the above is solved. What exactly do you do when tooling alerts you that an upgraded dependency has changed keys since the last publish? Either you blindly accept the new key or you investigate. If the latter hopefully you have a way to directly contact the author to verify that the rotation was legitimate. Since you probably don’t you should just compare the diff of the published artifacts. But you should have been doing this anyway, so what has the signature bought you here except false security?
I’m all for pragmatic solutions that measurably improve security. I just think changes like https://github.com/rubygems/rubygems.org/pull/2499 and https://github.com/rubygems/rubygems.org/pull/2242 qualify to a much greater extent than thinking of crypto as magic dust that can be sprinkled on a system to increase its security.
-
Judoscale
Save 47% on cloud hosting with autoscaling that just works. Judoscale integrates with Rails, Sidekiq, Solid Queue, and more to make autoscaling easy and reliable. Save big, and say goodbye to request timeouts and backed-up job queues.
-
Point 2 (Rubygems does not support package signing) is not true.
Rubygems has supported package signing (`gem help cert`) since very early on, and it has an install flag `--trust-policy` which can be used to verify various things, including certs (https://github.com/rubygems/rubygems/blob/96e5cff3df491c4d94...).
The experience in using it, however, sucks on every level. No one can really use the `High Security` policy level, because most gems aren’t signed. Most gems aren’t signed because there’s no clear benefit and it’s non-trivial to have shared certificates that can be used by multiple people authorized to release a particular gem. Most gems aren’t signed because there’s nowhere that public gem certs are published (there used to be with rubyforge), and you have to track down each cert you want to verify and download it separately.
I used to sign my gems, but then stopped.
Shopify has proposed a new RFC for signing gems based on sigstore. This RFC has many of the same points that I have already made as a reason for changing mechanisms. https://github.com/Shopify/rfcs/blob/new-signing-mechanism/t...
I’ve just discovered this, so I haven’t really evaluated it, but I would prefer to sign the gems I publish.
-
Point 2 (Rubygems does not support package signing) is not true.
Rubygems has supported package signing (`gem help cert`) since very early on, and it has an install flag `--trust-policy` which can be used to verify various things, including certs (https://github.com/rubygems/rubygems/blob/96e5cff3df491c4d94...).
The experience in using it, however, sucks on every level. No one can really use the `High Security` policy level, because most gems aren’t signed. Most gems aren’t signed because there’s no clear benefit and it’s non-trivial to have shared certificates that can be used by multiple people authorized to release a particular gem. Most gems aren’t signed because there’s nowhere that public gem certs are published (there used to be with rubyforge), and you have to track down each cert you want to verify and download it separately.
I used to sign my gems, but then stopped.
Shopify has proposed a new RFC for signing gems based on sigstore. This RFC has many of the same points that I have already made as a reason for changing mechanisms. https://github.com/Shopify/rfcs/blob/new-signing-mechanism/t...
I’ve just discovered this, so I haven’t really evaluated it, but I would prefer to sign the gems I publish.
-
In particular, check out the Securing Software Repos WG: https://github.com/ossf/wg-securing-software-repos
So far folks have turned up from RubyGems, PyPI, NPM, Maven Central, Drupal and I'm probably forgotten someone.
-
I built a RubyGems plugin that can help you vet gem version changes. Not that it would save you from this CVE, but though others might appreciate it to have in their toolbox.
[0] https://github.com/fedora-ruby/gem-compare
-
InfluxDB
InfluxDB high-performance time series database. Collect, organize, and act on massive volumes of high-resolution data to power real-time intelligent systems.
