https://twitter.com/mperham/status/299921788257832960

I believe he's saying the current signing code will always try to sign a gem if you have a private key in your gemspec. As a practical matter, this 'breaks' any gem that signs itself from being used when a Gemspec points to a git repo.

For best practices:

• Even the gem author shouldn't sign various test and dummy builds built from an unknown non-release state
• Anyone on a dev team should be able to build unofficial gems if they want or need to, even if they don't have access to the signing key.
• Developers shouldn't be required to just not check the gemspec into source control as a work around.

Note I posted this here instead of the forked rubygems-trust/rubygems because it doesn't seem I can open an issue there.