The Signing Cert for this gem is expired. It can no longer be installed securely

[grempe]

The gem signing cert for this gem is expired as of Sep 1 20:49:18 2016 GMT.

I came across this when trying to install the dawnscanner app from @thesp0nge which then failed.

You will need to generate a new signing cert (it should probably have a very long expiration, or none).

Here is the output of that install attempt:

$ gem install dawnscanner -P MediumSecurity
Fetching: cvss-0.99.0.gem (100%)
WARNING:  cvss-0.99.0 is not signed
Successfully installed cvss-0.99.0
Fetching: haml-4.0.7.gem (100%)
WARNING:  haml-4.0.7 is not signed

HEADS UP! Haml 4.0 has many improvements, but also has changes that may break
your application:

* Support for Ruby 1.8.6 dropped
* Support for Rails 2 dropped
* Sass filter now always outputs <style> tags
* Data attributes are now hyphenated, not underscored
* html2haml utility moved to the html2haml gem
* Textile and Maruku filters moved to the haml-contrib gem

For more info see:

http://rubydoc.info/github/haml/haml/file/CHANGELOG.md

Successfully installed haml-4.0.7
Fetching: sys-uname-1.0.2.gem (100%)
ERROR:  While executing gem ... (Gem::Security::Exception)
    certificate /CN=djberg96/DC=gmail/DC=com not valid after 2016-09-01 20:49:18 UTC

Here is the info about this cert:

/tmp$ openssl x509 -in cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=djberg96, DC=gmail, DC=com
        Validity
            Not Before: Sep  2 20:49:18 2015 GMT
            Not After : Sep  1 20:49:18 2016 GMT
        Subject: CN=djberg96, DC=gmail, DC=com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cc:93:92:f5:ea:46:9e:a1:2e:cf:5e:a0:93:92:
                    1e:68:bc:91:16:1b:ab:d5:64:7f:5e:7f:84:cc:49:
                    a6:8b:58:32:02:55:1c:75:ab:98:37:02:e4:3c:9e:
                    d8:f6:e7:5e:34:e4:29:fd:ba:e9:9c:34:3e:d4:fd:
                    87:e9:48:4b:7b:6c:f4:73:be:bd:a0:85:48:cc:05:
                    15:99:a7:58:94:a9:43:70:8d:c3:64:5c:1f:18:d6:
                    92:4f:72:17:b8:a6:10:cf:0a:cf:da:23:86:20:d7:
                    cc:17:ad:75:5e:8c:82:bd:25:57:f6:a5:52:be:d3:
                    35:50:43:9e:06:d7:11:f4:d6:b1:cc:97:87:5a:9d:
                    ef:16:78:11:c3:9d:b0:39:2d:09:ee:46:e3:93:7f:
                    a3:7e:ba:da:d3:d0:bc:9b:22:14:e1:74:08:cf:ca:
                    b8:1b:1a:fc:72:f5:fd:ea:04:98:5e:01:dc:42:88:
                    45:f4:c7:ad:0d:e1:bb:6d:0a:bf:74:49:f3:c4:0c:
                    e1:e7:36:fb:47:5d:f7:bb:97:eb:dd:ce:ce:fe:bd:
                    f3:57:f2:12:0f:9a:5c:b9:31:ae:45:62:33:fb:73:
                    da:a4:76:64:4d:23:3e:11:d3:44:43:d8:78:c1:20:
                    a6:d4:64:4e:65:92:28:0b:8b:55:6a:c9:11:f8:25:
                    0e:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Subject Key Identifier:
                4C:1E:9E:7E:9B:7C:90:03:9A:E2:03:88:C4:8E:CD:E7:4E:AC:BF:B1
            X509v3 Subject Alternative Name:
                email:[email protected]
            X509v3 Issuer Alternative Name:
                email:[email protected]
    Signature Algorithm: sha1WithRSAEncryption
        79:8d:38:25:a8:0d:50:fb:e7:31:c5:b9:e6:34:be:2c:06:0d:
        53:f5:04:d1:85:0b:ec:97:71:be:ee:d8:69:4a:fa:71:0c:08:
        e4:6a:cd:44:5b:60:f7:fb:b4:bf:bf:87:39:9e:3c:84:73:ee:
        2d:f4:50:cf:ff:eb:81:88:d4:d2:ef:f6:39:7b:9c:8c:23:84:
        fa:57:a5:fe:ff:96:ed:88:f6:13:93:b2:fc:12:ba:66:f9:52:
        22:82:fe:ca:81:c4:8d:ec:7e:3f:69:af:bf:56:a6:fe:0c:ba:
        29:17:d5:73:e2:93:b3:5c:6f:b3:4f:b0:93:f0:d3:a2:ef:c9:
        cd:c7:92:0e:57:d9:7a:4f:b4:bb:52:f8:6a:f6:c0:a2:67:9b:
        36:f9:ac:83:d2:d5:c9:ac:aa:fd:0c:f4:b3:d6:7e:5c:df:c2:
        86:7f:4a:99:e6:85:a8:0f:fa:0d:39:a7:c6:d1:34:a8:d9:48:
        0d:a2:22:63:3f:1b:26:19:10:96:33:c5:d3:ce:af:1d:a7:e8:
        d6:11:dc:79:3e:bc:73:f4:53:b5:01:4a:f7:88:eb:ea:b1:fa:
        77:50:61:a7:b2:0a:7f:86:45:7d:8f:29:2f:61:eb:a6:05:fd:
        0d:55:b4:64:87:80:09:9c:2e:59:1d:1a:06:a7:d7:cd:aa:b0:
        4f:f8:90:a3

[djberg96]

@grempe Yeah, I wondered if and when I would start seeing these issues. Unfortunately the gem command only creates a 1-year key. I did submit a feature request that was accepted in rubygems/rubygems#1719 that will allow users to set the expiration length, but it hasn't been released yet.

Anyway, I'll update the cert. Thanks for the report.

[grempe]

Ha! Pretty ironic that I filed this report against your cert and you've already solved the bigger issue in a PR.

Well played sir, well played.

In the interim, or for anyone else running up against this issue who needs to use an older version of rubygems, I whipped up this little script which runs the gem cert --build command, but with the expiration time constant monkey-patched into the future. The generated .pem files land in whatever dir you run the script from.

https://gist.github.com/grempe/f2a9822578d46c0545b614ced20d5695

I generated a new release using a 10 year expiry with this key if you want to test it out.

https://github.com/grempe/tss-rb/blob/master/certs/gem-public_cert_grempe_2026.pem

Cheers.

[djberg96]

@grempe Ok, I've updated the key. It will expire in 3 years.

[grempe]

Great. Thanks!

[djberg96]

@grempe Well, I'm told it wasn't actually implemented in 2.6.8 even though it didn't raise an error when I used the switch. So, it may only be good for a year.

[grempe]

Yup. You created a new cert with a one year expiration. If you use the script I linked to above you can create longer term certs. Here is the header data for your new cert.

$ openssl x509 -in cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=djberg96, DC=gmail, DC=com
        Validity
            Not Before: Oct 31 18:57:25 2016 GMT
            Not After : Oct 31 18:57:25 2017 GMT
        Subject: CN=djberg96, DC=gmail, DC=com
...

[djberg96]

@grempe, reopen this in a year. Hopefully rubygems 2.7.0 will be out by then. ;)

[grempe]

Hah. Well I'm not actually using this gem any longer (dawnscanner which brought me here is not something I'm likely to use again). So I guess I'll leave the setting of your calendar reminder to you. :-)

Cheers.

[thesp0nge]

"(dawnscanner which brought me here is not something I'm likely to use
again)"

:-(

Can I ask why? (even bad feedbacks will lead to improvements)

On 1 November 2016 at 20:58, Glenn Rempe [email protected] wrote:

Hah. Well I'm not actually using this gem any longer (dawnscanner which
brought me here is not something I'm likely to use again). So I guess I'll
leave the setting of your calendar reminder to you. :-)

Cheers.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#5 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAIvPunZxx4EdhuH3PROR5TLM4Fz5IAhks5q55njgaJpZM4KVSEB
.

$ cd /pub
$ more beer

I pirati della sicurezza applicativa: https://codiceinsicuro.it

[grempe]

Hi @thesp0nge,

Sorry, no offense intended. :-)

I tried it again today (since I can install cleanly now using security certs).

I ran it against a Sinatra app I am working on (which is of medium complexity, but security related) and it did run cleanly, saying it performed 165 checks with no issues found (thats good!).

My feedback would be:

• Its a little unclear from the readme exactly what is being checked. I think if you had a document/wiki that summarized each check (e.g. ruby vulns, rails vulns, sinatra, etc) and described each (which you have in the code for each) that would be helpful in knowing what was really being checked. You display those details on a failure I think but if it runs perfectly clean the first time it causes me to question how thorough it is really being. For example how much of what is being tested for is not really a valuable check as long as I have the current version of ruby and sinatra being used? In other words what are the vulnerabilities you scan for over and above ruby version and framework version?
• I don't like that it writes data into a top level folder in my home directory. I want that output restricted to STDOUT or an ignored directory of the project I am running against. You don't mention that it does this in the readme, and you don't document the database format you are storing things in there.

I would give it a try again if it gave me more visibility into what it is checking (so I can know what then is NOT being checked)

Cheers,

Glenn

[thesp0nge]

Those are valuable suggestions, thank you so much.

Can you please open an issue on GitHub so I can evaluate and working on
improvements about UI messages and findings saving?

Thanks

On 3 November 2016 at 20:33, Glenn Rempe [email protected] wrote:

Hi @thesp0nge https://github.com/thesp0nge,

Sorry, no offense intended. :-)

I tried it again today (since I can install cleanly now using security
certs).

I ran it against a Sinatra app I am working on (which is of medium
complexity, but security related) and it did run cleanly, saying it
performed 165 checks with no issues found (thats good!).

My feedback would be:

Its a little unclear from the readme exactly what is being checked. I
think if you had a document/wiki that summarized each check (e.g. ruby
vulns, rails vulns, sinatra, etc) and described each (which you have in the
code for each) that would be helpful in knowing what was really being
checked. You display those details on a failure I think but if it runs
perfectly clean the first time it causes me to question how thorough it is
really being. For example how much of what is being tested for is not
really a valuable check as long as I have the current version of ruby and
sinatra being used? In other words what are the vulnerabilities you scan
for over and above ruby version and framework version?

I don't like that it writes data into a top level folder in my home
directory. I want that output restricted to STDOUT or an ignored directory
of the project I am running against. You don't mention that it does this in
the readme, and you don't document the database format you are storing
things in there.

I would give it a try again if it gave me more visibility into what it is
checking (so I can know what then is NOT being checked)

Cheers,

Glenn

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#5 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAIvPoZqgt3mmgkJ2sdTKiziVOtx42diks5q6jcFgaJpZM4KVSEB
.

$ cd /pub
$ more beer

I pirati della sicurezza applicativa: https://codiceinsicuro.it