Add info on signed Gems to README

author: Sam Thursfield <sam.thursfield@codethink.co.uk> 2014-09-23 12:59:03 +0100
committer: Sam Thursfield <sam.thursfield@codethink.co.uk> 2014-09-23 12:59:03 +0100
commit: 60777d91f7b3c6dd370911ac213693404809f55e (patch)
tree: ee78beeff65624f9d8000538c37fdd2dd7db9789
parent: dee7477b1b88d594e59c72bd3065c399383ef77c (diff)
download: morph-60777d91f7b3c6dd370911ac213693404809f55e.tar.gz
1 files changed, 16 insertions, 0 deletions
diff --git a/import/README.rubygems b/import/README.rubygems
index 4b3b7721..1afb62d0 100644
--- a/import/README.rubygems
+++ b/import/README.rubygems
@@ -34,3 +34,19 @@ You may be able to use the `rake gem` command instead of `gem build`.
 
 [Nokigori]: https://github.com/sparklemotion/nokogiri/blob/master/Y_U_NO_GEMSPEC.md
 [Hoe]: http://www.zenspider.com/projects/hoe.html
+
+
+Signed Gems
+-----------
+
+It's possible for a Gem maintainer to sign their Gems. See:
+
+  - <http://blog.meldium.com/home/2013/3/3/signed-rubygems-part>
+  - <http://www.ruby-doc.org/stdlib-1.9.3/libdoc/rubygems/rdoc/Gem/Security.html>
+
+When building a Gem in Baserock, signing is unnecessary because it's not going
+to be shared except as part of the build system. The .gemspec may include a
+`signing_key` field, which will be a local path on the maintainer's system to
+their private key. Removing this field causes an unsigned Gem to be built.
+
+Known Gems that do this: 'net-ssh' and family.
author	Sam Thursfield <sam.thursfield@codethink.co.uk>	2014-09-23 12:59:03 +0100
committer	Sam Thursfield <sam.thursfield@codethink.co.uk>	2014-09-23 12:59:03 +0100
commit	60777d91f7b3c6dd370911ac213693404809f55e (patch)
tree	ee78beeff65624f9d8000538c37fdd2dd7db9789
parent	dee7477b1b88d594e59c72bd3065c399383ef77c (diff)
download	morph-60777d91f7b3c6dd370911ac213693404809f55e.tar.gz