-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add verify command and enable use with CI/CD #34
Draft
doodzik
wants to merge
82
commits into
sigstore:main
Choose a base branch
from
Shopify:main
base: main
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
doodzik
changed the title
[WIP] This PR tracks the work on the plugin done at Shopify
[WIP] Add verify command
Oct 29, 2021
Use rubygems style guide
Co-authored-by: Frederik Dudzik <5946811+doodzik@users.noreply.github.com>
Sign gem
super terrible `gem verify` implementation
Some refactors
Print all unique emails from valid signature entries
Clean up some of the printed messages
doodzik
changed the title
[WIP] Add verify command
[WIP] Add verify command and enable use with CI/CD
Nov 18, 2021
Will do 👍 |
add decision log
Fix NoMethodError for `gem verify` on an unsigned gem
Add a `gem signatures` command
add siging_policy
make verify command work in bundler
Delete the `gem sign` and `gem verify` commands
…gnatures Rename `install` command's --verify option to --verify-signatures
Rename install command's --verify option to --verify-signatures
Update the README
Co-authored-by: Jacques Chester <jacques.chester@shopify.com>
When these pre-install hooks are called, Rubygems has already validated that the given package is a valid gem, both locally and remotely. If the file does not exist or is not a valid gemfile, no package exists on the installer at line 32. Plus, Rubygems raises an error. Co-authored-by: Jacques Chester <jacques.chester@shopify.com>
Ruby 3.1 adds net/smtp to default standard library gems. Since we don't have a mailer in this project we need to explicitly not include it. Ref: https://stackoverflow.com/questions/70500220/rails-7-ruby-3-1-loaderror-cannot-load-such-file-net-smtp
If numbers are not quoted, the YAML parser will treat 3.0 as '3' and so the latest version minor version of 3, 3.1 will run instead of sticking with the 3.0.x patch version. Also adds quotes around the other ruby versions for consistency
Validate file is a gem on signature command
…responses Check responses from Fulcio/Rekor POSTs, raise unless expected
Store gem signatures in a hashedrekord
I guess this is dead now, any more interest in the work @doodzik ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.