Stateless Code | Create a RubyGem 98: Replace the Expired Gem Certificate @StatelessCode | Uploaded March 2023 | Updated October 2024, 3 hours ago.
Okay I messed up, big time. The signing certificate for our gem expired over a year ago. When you add a cert to your gem, you're making a contract with your consumers that you will have a current signed version of your gem available at all times.
With an expired cert, a HighSecurity or even MediumSecurity install will fail. We need to rectify this. The process we use to update the gem certificate
* Move the old cert to an archive directory
* Un-trust the old cert with `gem cert --remove [path_to_cert]`
* Generate the new cert from the ~/.ssh directory of the local machine using the command:
`gem cert --build [email in gemspec]`
* Change permission for the private key to 0600
* Copy the PUBLIC certificate to the new directory with the command
`cp ~/.ssh/gem-public_cert.pem certs/[RubyGems user name].pem from the gem's root directory
* Trust the new cert with `gem cert --add certs/[RubyGems user name].pem` from the root directory of the gem
* Test a build version of the gem with `gem build nerd_dice.gemspec`
* Install the built version of the gem with the command
`gem install ./nerd_dice-0.5.0.gem -P HighSecurity` (replace with built version in the future)
* Uninstall the test version of the gem with the command
`gem uninstall nerd_dice -v 0.5.0` (replace as appropriate)
In this video, the need to explicitly remove the expired cert before adding the new one gives us some trouble, but we figure it out and now our users will be able to install with high security again once we release.
This video covers:
00:00:12 Introduction
00:01:14 Demonstrate the problem
00:03:08 Archive the expired certificate and key
00:04:48 Generate the new cert and private key
00:06:41 Copy the new cert to the certs directory of the gem
00:08:38 Build the gem and test that it can be installed with HighSecurity, fails
00:10:49 Troubleshoot install failure. Solution is to remove the old cert before adding the new one
00:15:06 Test install with high security successful; uninstall test version
00:15:49 Commit the new certificate
00:16:34 Update the SECURITY.md file with new end-of-life date for other versions and amend commit to include change
00:18:54 Push to the remote, open pull request, ensure process for updating the certificate is noted in a comment in the issue
00:21:01 Merge pull request and update backlog
#ruby #rubygems #codecast #screencast #NerdDice #DnD #roleplaying #softwaredevelopment #github #opensource #dice #tlm #certificatemanagement #expiredcert
See other related StatelessCode videos:
- Create a RubyGem 06: Release the Gem! youtu.be/4ihGTcy9jtI
Resources that we relied upon for this solution:
- Publishing your gem RubyGems.org guides.rubygems.org/publishing
- Security guide RubyGems.org guides.rubygems.org/security
This video is CC0 - No rights reserved. (YouTube doesn't allow this option when publishing.) All code is released under the UNLICENSE. Stateless Code denies the concept of "intellectual property". Copying is not stealing.
Okay I messed up, big time. The signing certificate for our gem expired over a year ago. When you add a cert to your gem, you're making a contract with your consumers that you will have a current signed version of your gem available at all times.
With an expired cert, a HighSecurity or even MediumSecurity install will fail. We need to rectify this. The process we use to update the gem certificate
* Move the old cert to an archive directory
* Un-trust the old cert with `gem cert --remove [path_to_cert]`
* Generate the new cert from the ~/.ssh directory of the local machine using the command:
`gem cert --build [email in gemspec]`
* Change permission for the private key to 0600
* Copy the PUBLIC certificate to the new directory with the command
`cp ~/.ssh/gem-public_cert.pem certs/[RubyGems user name].pem from the gem's root directory
* Trust the new cert with `gem cert --add certs/[RubyGems user name].pem` from the root directory of the gem
* Test a build version of the gem with `gem build nerd_dice.gemspec`
* Install the built version of the gem with the command
`gem install ./nerd_dice-0.5.0.gem -P HighSecurity` (replace with built version in the future)
* Uninstall the test version of the gem with the command
`gem uninstall nerd_dice -v 0.5.0` (replace as appropriate)
In this video, the need to explicitly remove the expired cert before adding the new one gives us some trouble, but we figure it out and now our users will be able to install with high security again once we release.
This video covers:
00:00:12 Introduction
00:01:14 Demonstrate the problem
00:03:08 Archive the expired certificate and key
00:04:48 Generate the new cert and private key
00:06:41 Copy the new cert to the certs directory of the gem
00:08:38 Build the gem and test that it can be installed with HighSecurity, fails
00:10:49 Troubleshoot install failure. Solution is to remove the old cert before adding the new one
00:15:06 Test install with high security successful; uninstall test version
00:15:49 Commit the new certificate
00:16:34 Update the SECURITY.md file with new end-of-life date for other versions and amend commit to include change
00:18:54 Push to the remote, open pull request, ensure process for updating the certificate is noted in a comment in the issue
00:21:01 Merge pull request and update backlog
#ruby #rubygems #codecast #screencast #NerdDice #DnD #roleplaying #softwaredevelopment #github #opensource #dice #tlm #certificatemanagement #expiredcert
See other related StatelessCode videos:
- Create a RubyGem 06: Release the Gem! youtu.be/4ihGTcy9jtI
Resources that we relied upon for this solution:
- Publishing your gem RubyGems.org guides.rubygems.org/publishing
- Security guide RubyGems.org guides.rubygems.org/security
This video is CC0 - No rights reserved. (YouTube doesn't allow this option when publishing.) All code is released under the UNLICENSE. Stateless Code denies the concept of "intellectual property". Copying is not stealing.
