RubyGems signatures / Bundler lock

Jan 1, 0001

Definition

RubyGems signatures and Bundler lock files are mechanisms used to ensure the integrity and authenticity of Ruby packages. RubyGems signatures allow developers to sign their gems with a cryptographic key, providing a way to verify that the gem has not been tampered with. Bundler lock files (Gemfile.lock) capture the exact versions of dependencies used in a project, ensuring consistent environments across different installations by locking the dependency tree.

Secure Settings Example

# Gemfile
source 'https://rubygems.org' do
  gem 'rails', '6.1.4'
  gem 'puma', '5.3.2'
end

# Gemfile.lock
# Ensure this file is committed to version control to lock dependencies

# Verify gem signatures
gem cert --add <path_to_public_cert>
gem install <gem_name> --trust-policy HighSecurity

Insecure Settings Example

# Gemfile
source 'https://rubygems.org' do
  gem 'rails'
  gem 'puma'
end

# Gemfile.lock
# Not committing this file leads to unpredictable dependency versions

# Installing gems without verifying signatures
gem install <gem_name>

RubyGems signatures / Bundler lock

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter