[u801e]

Does ruby gems allow for signing releases? For example, the maintainer could upload their public key and use their private key to sign a package release. Then the consumer could verify the signature via the public key. If the public key changes, then the consumer could be alerted to that fact.

[shioyama]

Yes it does, and I do this with my gems, but it's not widely used and I'm sure virtually none of the users of the gems I author probably take advantage of it.

https://guides.rubygems.org/security/

> However, this method of securing gems is not widely used. It requires a number of manual steps on the part of the developer, and there is no well-established chain of trust for gem signing keys. Discussion of new signing models such as X509 and OpenPGP is going on in the rubygems-trust wiki, the RubyGems-Developers list and in IRC. The goal is to improve (or replace) the signing system so that it is easy for authors and transparent for users.

[Ajedi32]

That's not really any better than 2FA against this specific threat.

But to answer your question, yes there is a system for signing gems, though it's not widely used: https://guides.rubygems.org/security/