Update README, signed gem certs. 2.0.0.pre version

.travis.yml

@@ -3,5 +3,4 @@ rvm:
   - 2.1.0
   - 2.2.4
   - 2.3.1
-  - jruby-9.0.5.0
 before_install: gem install bundler -v 1.12.1

README.md

@@ -28,6 +28,90 @@ Unlike other common challenge-response authentication protocols, such as
 Kerberos and SSL, SiRP does not rely on an external infrastructure of trusted
 key servers or complex certificate management.
 
+## Documentation
+
+There is pretty extensive inline documentation. You can view the latest
+auto-generated docs at [http://www.rubydoc.info/gems/sirp](http://www.rubydoc.info/gems/sirp)
+
+You can check my documentation quality score at
+[http://inch-ci.org/github/grempe/sirp](http://inch-ci.org/github/grempe/sirp?branch=master)
+
+## Supported Platforms
+
+SiRP is continuously integration tested on the following Ruby VMs:
+
+* MRI 2.1, 2.2, 2.3
+
+It may work on others as well.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'sirp', '~> 2.0'
+```
+
+And then execute:
+```sh
+$ bundle
+```
+
+Or install it yourself as:
+
+```sh
+$ gem install sirp
+```
+
+### Installation Security : Signed Ruby Gem
+
+The SiRP gem is cryptographically signed. To be sure the gem you install hasn’t
+been tampered with you can install it using the following method:
+
+Add my public key (if you haven’t already) as a trusted certificate
+
+```
+# Caveat: Gem certificates are trusted globally, such that adding a
+# cert.pem for one gem automatically trusts all gems signed by that cert.
+gem cert --add <(curl -Ls https://raw.github.com/grempe/sirp/master/certs/gem-public_cert_grempe.pem)
+```
+
+To install, it is possible to specify either `HighSecurity` or `MediumSecurity`
+mode. Since the `sirp` gem depends on one or more gems that are not cryptographically
+signed you will likely need to use `MediumSecurity`. You should receive a warning
+if any signed gem does not match its signature.
+
+```
+# All dependent gems must be signed and verified.
+gem install sirp -P HighSecurity
+```
+
+```
+# All signed dependent gems must be verified.
+gem install sirp -P MediumSecurity
+```
+
+```
+# Same as above, except Bundler only recognizes
+# the long --trust-policy flag, not the short -P
+bundle --trust-policy MediumSecurity
+```
+
+You can [learn more about security and signed Ruby Gems](http://guides.rubygems.org/security/).
+
+### Installation Security : Signed Git Commits
+
+Most, if not all, of the commits and tags to the repository for this code are
+signed with my PGP/GPG code signing key. I have uploaded my code signing public
+keys to GitHub and you can now verify those signatures with the GitHub UI.
+See [this list of commits](https://github.com/grempe/sirp/commits/master)
+and look for the `Verified` tag next to each commit. You can click on that tag
+for additional information.
+
+You can also clone the repository and verify the signatures locally using your
+own GnuPG installation. You can find my certificates and read about how to conduct
+this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
+
 ## Compatibility
 
 This implementation has been tested for compatibility with the following SRP-6a
@@ -115,3 +199,33 @@ run `bundle exec rake test` to run the tests. You can also run `bin/console` for
 interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
+
+### Contributing
+
+Bug reports and pull requests are welcome on GitHub
+at [https://github.com/grempe/sirp](https://github.com/grempe/sirp). This
+project is intended to be a safe, welcoming space for collaboration, and
+contributors are expected to adhere to the
+[Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Legal
+
+### Copyright
+
+(c) 2016 Glenn Rempe <[[email protected]](mailto:[email protected])> ([https://www.rempe.us/](https://www.rempe.us/))
+
+(c) 2012 Mikael Lammentausta
+
+### License
+
+The gem is available as open source under the terms of
+the [BSD 3-clause "New" or "Revised" License](https://spdx.org/licenses/BSD-3-Clause.html).
+
+### Warranty
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the LICENSE.txt file for the
+specific language governing permissions and limitations under
+the License.

certs/gem-public_cert_grempe.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu
+bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN
+MTYwNDExMDI0NTU0WhcNMTcwNDExMDI0NTU0WjA7MQ4wDAYDVQQDDAVnbGVubjEV
+MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZqTH5Jf+D/W2B4BIiL49CpHa86rK/
+oT+v3xZwuEE92lJea+ygn3IAsidVTW47AKE6Lt3UqUkGQGKxsqH/Dhir08BqjLlD
+gBUozGZpM3B6uWZnD6QXLbOmZeGVDnwB/QDfzaawN1i3smlYxYT+KNLjl80aN3we
+/cHAWG7JG47AF/S91mYcg1WgZnDgZt9+RyVR1AsfYbM+SidOSoXEOHPCbuUxLKJb
+gj5ieCFhm5GNWEugvgiX/ruas+VHV0fF3fzjYlU2fZPTuQyB4UD5FWX4UqdsBf3w
+jB94TDBsJ3FVGPbggEhLGKd8pbQmBIOqXolGaqhs7dnuf5imu5mAXHC1AgMBAAGj
+bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBRfxEyosUbKjfFa
+j+gae2CcT3aFCTAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ
+gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAzgK20+MNOknR9Kx6
+RisI3DsioCADjGldxY+INrwoTfPDVmNm4GdTYC+V+/BvxJw1RqHjEbuXSg0iibQC
+4vN+th0Km7dnas/td1i+EKfGencfyQyecIaG9l3kbCkCWnldRtZ+BS5EfP2ML2u8
+fyCtze/Piovu8IwXL1W5kGZMnvzLmWxdqI3VPUou40n8F+EiMMLgd53kpzjtNOau
+4W+mqVGOwlEGVSgI5+0SIsD8pvc62PlPWTv0kn1bcufKKCZmoVmpfbe3j4JpBInq
+zieXiXZSAojfFx9g91fKdIrlPbInHU/BaCxXSLBwvOM0drE+c2ue9X8gB55XAhzX
+37oBiw==
+-----END CERTIFICATE-----

lib/sirp/version.rb

@@ -1,3 +1,3 @@
 module SIRP
-  VERSION = '2.0.0'.freeze
+  VERSION = '2.0.0.pre'.freeze
 end

sirp.gemspec

@@ -11,6 +11,12 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 2.1.0'
 
+  cert = File.expand_path('~/.gem-certs/gem-private_key_grempe.pem')
+  if cert && File.exist?(cert)
+    spec.signing_key = cert
+    spec.cert_chain = ['certs/gem-public_cert_grempe.pem']
+  end
+
   spec.summary       = 'Secure (interoperable) Remote Password Auth (SRP-6a)'
   spec.description   = <<-EOF
     A Ruby implementation of the Secure Remote Password protocol (SRP-6a).