diff --git a/.travis.yml b/.travis.yml index d312b2b..f8b6eac 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,5 +3,4 @@ rvm: - 2.1.0 - 2.2.4 - 2.3.1 - - jruby-9.0.5.0 before_install: gem install bundler -v 1.12.1 diff --git a/README.md b/README.md index 7372b34..33c55a0 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,90 @@ Unlike other common challenge-response authentication protocols, such as Kerberos and SSL, SiRP does not rely on an external infrastructure of trusted key servers or complex certificate management. +## Documentation + +There is pretty extensive inline documentation. You can view the latest +auto-generated docs at [http://www.rubydoc.info/gems/sirp](http://www.rubydoc.info/gems/sirp) + +You can check my documentation quality score at +[http://inch-ci.org/github/grempe/sirp](http://inch-ci.org/github/grempe/sirp?branch=master) + +## Supported Platforms + +SiRP is continuously integration tested on the following Ruby VMs: + +* MRI 2.1, 2.2, 2.3 + +It may work on others as well. + +## Installation + +Add this line to your application's `Gemfile`: + +```ruby +gem 'sirp', '~> 2.0' +``` + +And then execute: +```sh +$ bundle +``` + +Or install it yourself as: + +```sh +$ gem install sirp +``` + +### Installation Security : Signed Ruby Gem + +The SiRP gem is cryptographically signed. To be sure the gem you install hasn’t +been tampered with you can install it using the following method: + +Add my public key (if you haven’t already) as a trusted certificate + +``` +# Caveat: Gem certificates are trusted globally, such that adding a +# cert.pem for one gem automatically trusts all gems signed by that cert. +gem cert --add <(curl -Ls https://raw.github.com/grempe/sirp/master/certs/gem-public_cert_grempe.pem) +``` + +To install, it is possible to specify either `HighSecurity` or `MediumSecurity` +mode. Since the `sirp` gem depends on one or more gems that are not cryptographically +signed you will likely need to use `MediumSecurity`. You should receive a warning +if any signed gem does not match its signature. + +``` +# All dependent gems must be signed and verified. +gem install sirp -P HighSecurity +``` + +``` +# All signed dependent gems must be verified. +gem install sirp -P MediumSecurity +``` + +``` +# Same as above, except Bundler only recognizes +# the long --trust-policy flag, not the short -P +bundle --trust-policy MediumSecurity +``` + +You can [learn more about security and signed Ruby Gems](http://guides.rubygems.org/security/). + +### Installation Security : Signed Git Commits + +Most, if not all, of the commits and tags to the repository for this code are +signed with my PGP/GPG code signing key. I have uploaded my code signing public +keys to GitHub and you can now verify those signatures with the GitHub UI. +See [this list of commits](https://github.com/grempe/sirp/commits/master) +and look for the `Verified` tag next to each commit. You can click on that tag +for additional information. + +You can also clone the repository and verify the signatures locally using your +own GnuPG installation. You can find my certificates and read about how to conduct +this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/). + ## Compatibility This implementation has been tested for compatibility with the following SRP-6a @@ -115,3 +199,33 @@ run `bundle exec rake test` to run the tests. You can also run `bin/console` for interactive prompt that will allow you to experiment. To install this gem onto your local machine, run `bundle exec rake install`. + +### Contributing + +Bug reports and pull requests are welcome on GitHub +at [https://github.com/grempe/sirp](https://github.com/grempe/sirp). This +project is intended to be a safe, welcoming space for collaboration, and +contributors are expected to adhere to the +[Contributor Covenant](http://contributor-covenant.org) code of conduct. + +## Legal + +### Copyright + +(c) 2016 Glenn Rempe <[glenn@rempe.us](mailto:glenn@rempe.us)> ([https://www.rempe.us/](https://www.rempe.us/)) + +(c) 2012 Mikael Lammentausta + +### License + +The gem is available as open source under the terms of +the [BSD 3-clause "New" or "Revised" License](https://spdx.org/licenses/BSD-3-Clause.html). + +### Warranty + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, +either express or implied. See the LICENSE.txt file for the +specific language governing permissions and limitations under +the License. diff --git a/certs/gem-public_cert_grempe.pem b/certs/gem-public_cert_grempe.pem new file mode 100644 index 0000000..0351d57 --- /dev/null +++ b/certs/gem-public_cert_grempe.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu +bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN +MTYwNDExMDI0NTU0WhcNMTcwNDExMDI0NTU0WjA7MQ4wDAYDVQQDDAVnbGVubjEV +MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZqTH5Jf+D/W2B4BIiL49CpHa86rK/ +oT+v3xZwuEE92lJea+ygn3IAsidVTW47AKE6Lt3UqUkGQGKxsqH/Dhir08BqjLlD +gBUozGZpM3B6uWZnD6QXLbOmZeGVDnwB/QDfzaawN1i3smlYxYT+KNLjl80aN3we +/cHAWG7JG47AF/S91mYcg1WgZnDgZt9+RyVR1AsfYbM+SidOSoXEOHPCbuUxLKJb +gj5ieCFhm5GNWEugvgiX/ruas+VHV0fF3fzjYlU2fZPTuQyB4UD5FWX4UqdsBf3w +jB94TDBsJ3FVGPbggEhLGKd8pbQmBIOqXolGaqhs7dnuf5imu5mAXHC1AgMBAAGj +bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBRfxEyosUbKjfFa +j+gae2CcT3aFCTAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ +gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAzgK20+MNOknR9Kx6 +RisI3DsioCADjGldxY+INrwoTfPDVmNm4GdTYC+V+/BvxJw1RqHjEbuXSg0iibQC +4vN+th0Km7dnas/td1i+EKfGencfyQyecIaG9l3kbCkCWnldRtZ+BS5EfP2ML2u8 +fyCtze/Piovu8IwXL1W5kGZMnvzLmWxdqI3VPUou40n8F+EiMMLgd53kpzjtNOau +4W+mqVGOwlEGVSgI5+0SIsD8pvc62PlPWTv0kn1bcufKKCZmoVmpfbe3j4JpBInq +zieXiXZSAojfFx9g91fKdIrlPbInHU/BaCxXSLBwvOM0drE+c2ue9X8gB55XAhzX +37oBiw== +-----END CERTIFICATE----- diff --git a/lib/sirp/version.rb b/lib/sirp/version.rb index 03f0b42..7fb5987 100644 --- a/lib/sirp/version.rb +++ b/lib/sirp/version.rb @@ -1,3 +1,3 @@ module SIRP - VERSION = '2.0.0'.freeze + VERSION = '2.0.0.pre'.freeze end diff --git a/sirp.gemspec b/sirp.gemspec index bb708a9..e138d2d 100644 --- a/sirp.gemspec +++ b/sirp.gemspec @@ -11,6 +11,12 @@ Gem::Specification.new do |spec| spec.required_ruby_version = '>= 2.1.0' + cert = File.expand_path('~/.gem-certs/gem-private_key_grempe.pem') + if cert && File.exist?(cert) + spec.signing_key = cert + spec.cert_chain = ['certs/gem-public_cert_grempe.pem'] + end + spec.summary = 'Secure (interoperable) Remote Password Auth (SRP-6a)' spec.description = <<-EOF A Ruby implementation of the Secure Remote Password protocol (SRP-6a).