🔥 Remove gem release signing logic

Signed-off-by: Peter H. Boling <[email protected]>

Author: pboling

.envrc

@@ -0,0 +1,30 @@
+# Run any command in this library's bin/ without the bin/ prefix!
+# Prefer exe version over binstub
+PATH_add exe
+PATH_add bin
+
+# Only add things to this file that should be shared with the team.
+
+# **dotenv** (See end of file for .env.local integration)
+# .env would override anything in this file, if enabled.
+# .env is a DOCKER standard, and if we use it, it would be in deployed, or DOCKER, environments.
+# Override and customize anything below in your own .env.local
+# If you are using dotenv and not direnv,
+#   copy the following `export` statements to your own .env file.
+export MIMIC_NEXT_MAJOR_VERSION=false
+export ARUBA_NO_COVERAGE=false
+
+### General Ruby ###
+# Turn off Ruby Warnings about deprecated code
+# export RUBYOPT="-W0"
+
+# Internal Debugging Controls
+export DEBUG=false # do not allow byebug statements (override in .env.local)
+
+# .env would override anything in this file, if `dotenv` is uncommented below.
+# .env is a DOCKER standard, and if we use it, it would be in deployed, or DOCKER, environments,
+#   and that is why we generally want to leave it commented out.
+# dotenv
+
+# .env.local will override anything in this file.
+dotenv_if_exists .env.local

CONTRIBUTING.md

@@ -28,10 +28,6 @@ General/runtime
 - MIMIC_NEXT_MAJOR_VERSION: When set to true, simulates the next major version for testing breaking changes [📌semver-breaking] [📌major-versions-not-sacred] (default: false)
 - ARUBA_NO_COVERAGE: Disable SimpleCov coverage in Aruba tests (default: false)
 
-Releasing and signing
-- SKIP_GEM_SIGNING: If set, skip gem signing during build/release
-- GEM_CERT_USER: Username for selecting your public cert in `certs/<USER>.pem` (defaults to $USER)
-
 For a quick starting point, this repository’s `.envrc` shows sane defaults, and `.env.local` can override them locally.
 
 ## Testing
@@ -90,16 +86,6 @@ Made with [contributors-img][🖐contrib-rocks].
 
 ## For Maintainers
 
-### One-time, Per-maintainer, Setup
-
-**IMPORTANT**: To sign a build,
-a public key for signing gems will need to be picked up by the line in the
-`gemspec` defining the `spec.cert_chain` (check the relevant ENV variables there).
-All releases after v1.1.0 are signed releases.
-See: [RubyGems Security Guide][🔒️rubygems-security-guide]
-
-NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in the environment. Only do this for testing.
-
 ### To release a new version:
 
 #### Automated process

README.md

@@ -9,7 +9,7 @@
 
 # CycloneDX Ruby Gem
 
-The CycloneDX Ruby Gem creates a valid CycloneDX Software Bill of Materials (SBOM) from all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human readable, and simple to parse. 
+The CycloneDX Ruby Gem creates a valid CycloneDX Software Bill of Materials (SBOM) from all project dependencies. CycloneDX is a lightweight SBOM specification that is easily created, human-readable, and simple to parse. 
 
 #### Installing from RubyGems
 

certs/pboling.pem

@@ -14,24 +14,6 @@ Gem::Specification.new do |spec|
   spec.license     = 'Apache-2.0'
   spec.required_ruby_version = '>= 2.7.0'
 
-  # Linux distros often package gems and securely certify them independent
-  #   of the official RubyGem certification process. Allowed via ENV["SKIP_GEM_SIGNING"]
-  # Ref: https://gitlab.com/ruby-oauth/version_gem/-/issues/3
-  # Hence, only enable signing if `SKIP_GEM_SIGNING` is not set in ENV.
-  # See CONTRIBUTING.md
-  unless ENV.include?("SKIP_GEM_SIGNING")
-    user_cert = "certs/#{ENV.fetch("GEM_CERT_USER", ENV["USER"])}.pem"
-    cert_file_path = File.join(__dir__, user_cert)
-    cert_chain = cert_file_path.split(",")
-    cert_chain.select! { |fp| File.exist?(fp) }
-    if cert_file_path && cert_chain.any?
-      spec.cert_chain = cert_chain
-      if $PROGRAM_NAME.end_with?("gem") && ARGV[0] == "build"
-        spec.signing_key = File.join(Gem.user_home, ".ssh", "gem-private_key.pem")
-      end
-    end
-  end
-
   spec.metadata["homepage_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem?tab=readme-ov-file#readme"
   spec.metadata["source_code_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem/tree/v#{spec.version}"
   spec.metadata["changelog_uri"] = "https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/v#{spec.version}/CHANGELOG.md"