Gem signing should be optional and explicit even if you specify a private key
grant-olson opened this issue · comments
https://twitter.com/mperham/status/299921788257832960
I believe he's saying the current signing code will always try to sign a gem if you have a private key in your gemspec. As a practical matter, this 'breaks' any gem that signs itself from being used when a Gemspec points to a git repo.
For best practices:
- Even the gem author shouldn't sign various test and dummy builds built from an unknown non-release state
- Anyone on a dev team should be able to build unofficial gems if they want or need to, even if they don't have access to the signing key.
- Developers shouldn't be required to just not check the gemspec into source control as a work around.
Note I posted this here instead of the forked rubygems-trust/rubygems because it doesn't seem I can open an issue there.