summaryrefslogtreecommitdiff
path: root/lib/rubygems/security/signer.rb
diff options
context:
space:
mode:
Diffstat (limited to 'lib/rubygems/security/signer.rb')
-rw-r--r--lib/rubygems/security/signer.rb26
1 files changed, 21 insertions, 5 deletions
diff --git a/lib/rubygems/security/signer.rb b/lib/rubygems/security/signer.rb
index fc98f951bc..32dab9fa81 100644
--- a/lib/rubygems/security/signer.rb
+++ b/lib/rubygems/security/signer.rb
@@ -30,6 +30,15 @@ class Gem::Security::Signer
attr_reader :digest_name # :nodoc:
##
+ # Gem::Security::Signer options
+
+ attr_reader :options
+
+ DEFAULT_OPTIONS = {
+ expiration_length_days: 365
+ }.freeze
+
+ ##
# Attemps to re-sign an expired cert with a given private key
def self.re_sign_cert(expired_cert, expired_cert_path, private_key)
return unless expired_cert.not_after < Time.now
@@ -40,7 +49,11 @@ class Gem::Security::Signer
Gem::Security.write(expired_cert, new_expired_cert_path)
- re_signed_cert = Gem::Security.re_sign(expired_cert, private_key)
+ re_signed_cert = Gem::Security.re_sign(
+ expired_cert,
+ private_key,
+ (Gem::Security::ONE_DAY * Gem.configuration.cert_expiration_length_days)
+ )
Gem::Security.write(re_signed_cert, expired_cert_path)
@@ -52,10 +65,11 @@ class Gem::Security::Signer
# +chain+ containing X509 certificates, encoding certificates or paths to
# certificates.
- def initialize key, cert_chain, passphrase = nil
+ def initialize key, cert_chain, passphrase = nil, options = {}
@cert_chain = cert_chain
@key = key
@passphrase = passphrase
+ @options = DEFAULT_OPTIONS.merge(options)
unless @key then
default_key = File.join Gem.default_key_path
@@ -130,7 +144,9 @@ class Gem::Security::Signer
raise Gem::Security::Exception, 'no certs provided' if @cert_chain.empty?
if @cert_chain.length == 1 and @cert_chain.last.not_after < Time.now then
- re_sign_key
+ re_sign_key(
+ expiration_length: (Gem::Security::ONE_DAY * options[:expiration_length_days])
+ )
end
full_name = extract_name @cert_chain.last
@@ -154,7 +170,7 @@ class Gem::Security::Signer
# be saved as ~/.gem/gem-public_cert.pem.expired.%Y%m%d%H%M%S where the
# expiry time (not after) is used for the timestamp.
- def re_sign_key # :nodoc:
+ def re_sign_key(expiration_length: Gem::Security::ONE_YEAR) # :nodoc:
old_cert = @cert_chain.last
disk_cert_path = File.join(Gem.default_cert_path)
@@ -174,7 +190,7 @@ class Gem::Security::Signer
unless File.exist?(old_cert_path)
Gem::Security.write(old_cert, old_cert_path)
- cert = Gem::Security.re_sign(old_cert, @key)
+ cert = Gem::Security.re_sign(old_cert, @key, expiration_length)
Gem::Security.write(cert, disk_cert_path)
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 16:44:01 +0000