-
Notifications
You must be signed in to change notification settings - Fork 4
/
CHANGELOG
95 lines (59 loc) · 2.64 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
* Add deprecation warning for --key option. Users should use
--gpg-local-user instead. --key will be removed in 1.0.
* Allow forwarding of select gpg options with commands like
--gpg-homedir. run `gem verify --help` to see a list of all options.
* Fail gracefully when rubygems.org doesn't return owner list, for
example when a gem has never been published to rubygems.org.
0.6.0 - 2013-03-18
==================
* --trust now automatically implies --verify. #29
* Look up a gem's owner at rubygems.org if possible, and verify that
this matches a trusted UID on the signing key, if possible.
* Provide installer links if we can't find gpg.
* Allow `gem verify foo-0.0.0.gem --trust`
* Show 8 digit short id, not 9 digits.
0.5.1 - 2013-03-10
==================
* Read/write files in binary mode so Windows doesn't mess with newlines.
0.5.0 - 2013-03-10
==================
* Signing/Verifying silently skips existing signature files, and
warns if we see an unexpected non-gz file type.
* Moved run_gpg to gpg_status_parser gem and updated required version.
* Show "Verifying GEM..." before verifying. Otherwise it's confusing
when multiple signed dependencies are downloaded.
* Added ssh-style continuity checking. The first time you get a gem,
its fingerprint is stored in ~/.rubygems-openpgp/known_gems. If the
fingerprint changes, you get an error.
0.4.0 - 2013-02-23
==================
* Added --trust and --no-trust options which enforce gnupg trust so we
don't install valid but untrusted gems.
* We now use gpg_status_parser instead of just dealing with gpg
stdout, etc.
* --no-verify to explicitly override --verify. Useful if you specify
--verify in ~/.gemrc
0.3.0 - 2013-02-10
==================
* `gem build --sign [--key 0xDEADBEEF]` will now sign gems on build.
* 'gem install --verify' will now verify gems or abort install.
* Escape potentially unsafe user input. (Patch via postmodern)
0.2.1 - 2011-05-30
==================
* Binary release at rubygems wasn't signed.
0.2.0 - 2011-05-30
==================
* Basic smoke test.
* Moved a bunch of code and refactored to make testing easier.
* Provide a friendly error if gem isn't found when signing.
* Provide a friendly error if gem isn't found when verifying.
* We no longer accidentally swallowing the command line validation in
SignCommand.
* Validate that actual key id is in the form of 0xDEADBEEF to
eliminate potential gpg trickery.
* Validate gpg install when running any OpenPGP operation.
1.1 - 2011-05-28
================
* Fix for windows verification, files must be opened in binary mode.
1.0 - Initial Release - 2011-05-28
==================================