 |
VOOZH | about |
|
VOOZH | about |
At RVM we treat security very serious and cryptographically sign (since version 1.26.0) all releases and the rvm-installer script to ensure it comes from a genuine source.
We use GPG for signing. Both gpg and gpg2 should be fine.
Sometimes gpg has problems downloading keys from remote server, it might be better to work with gpg2 if it's available for your system. However it has been reported that gpg2 in version 2.1.17 is also affected by such issue. We recommend you to downgrade or upgrade it to a newer version.
Make sure to only trust the keys of people you trust - if you trust to run our code - trust our keys. Here are the keys from our maintainers:
409B6B1796C275462A1703113804BB82D39DC0E3 # mpapis 7D2BAF1CF37B13E2069D6956105BD0E739499BDB # pkuczynski
As a first step, before attempting RVM install, you should install gpg2 and import those keys:
gpg --keyserver keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
If you encounter problem with the key server above, try a different one. Some alternatives are presented below:
In case importing gpg keys hangs forever, it might be that's a firewall issue. If you are behind a firewall, make sure you open outgoing port 11371 (TCP).
It is known issue that if your host does not have IPv6 enabled (often happening in docker containers) some key servers might fail to connect. You can forbid gpg's internal dirmngr from using IPv6 by add the following line to ~/.gnupg/dirmngr.conf:
disable-ipv6
Make sure no existing dirmngr processes are still running (and kill them if they are), and then try gpg --recv-keys command again as specified originally, and it should work.
Note that the risk here is that if you really do need IPv6 later at some point, you may forget about this setting, but for most people this is unlikely.
Alternatively you might want to import keys directly from our web server, although this is a less secure way:
curl -sSL https://rvm.io/mpapis.asc | gpg --import - curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -
Identity of our keys can be confirmed at keybase.io:
echo 409B6B1796C275462A1703113804BB82D39DC0E3:6: | gpg2 --import-ownertrust # mpapis@gmail.com echo 7D2BAF1CF37B13E2069D6956105BD0E739499BDB:6: | gpg2 --import-ownertrust # piotr.kuczynski@gmail.com
We usually recommend everywhere to run installation using following command:
\curl -sSL https://get.rvm.io | bash -s stable
This should be pretty secure, but in case you want to ensure the installer comes from a valid source, you can run manually verified installation:
\curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer -o rvm-installer && \curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer.asc -o rvm-installer.asc && \gpg2 --verify rvm-installer.asc rvm-installer && \bash rvm-installer
Verification procedure is automatic for updates and it will fail to install new version with invalid signature.
It is a good practice to periodically refresh keys status to ensure none of them got revoked. You can also add it to cron.
gpg2 --refresh-keys
