🐛 Fix ability to build gem without signing

pboling · pboling · commit 5c6122b0beb0 · 2025-05-06T15:41:49.000+07:00
- for linux package maintainers
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -84,11 +84,14 @@ Also see GitLab Contributors: [https://gitlab.com/oauth-xx/version_gem/-/graphs/
 
 ### One-time, Per-maintainer, Setup
 
-**IMPORTANT**: Your public key for signing gems will need to be picked up by the line in the
-`gemspec` defining the `spec.cert_chain` (check the relevant ENV variables there),
-in order to sign the new release.
+**IMPORTANT**: If you want to sign the build you create,
+your public key for signing gems will need to be picked up by the line in the
+`gemspec` defining the `spec.cert_chain` (check the relevant ENV variables there).
+All releases to RubyGems.org will be signed.
 See: [RubyGems Security Guide][🔒️rubygems-security-guide]
 
+NOTE: To build without signing the gem you must set `SKIP_GEM_SIGNING` to some value in your environment.
+
 ### To release a new version:
 
 1. Run `bin/setup && bin/rake` as a tests, coverage, & linting sanity check
diff --git a/version_gem.gemspec b/version_gem.gemspec
@@ -11,16 +11,16 @@ Gem::Specification.new do |spec|
   # Linux distros may package ruby gems differently,
   #   and securely certify them independently via alternate package management systems.
   # Ref: https://gitlab.com/oauth-xx/version_gem/-/issues/3
-  # Hence, only enable signing if the cert_file is present.
+  # Hence, only enable signing if `SKIP_GEM_SIGNING` is not set in ENV.
   # See CONTRIBUTING.md
-  default_user_cert = "certs/#{ENV.fetch("GEM_CERT_USER", ENV["USER"])}.pem"
-  default_user_cert_path = File.join(__dir__, default_user_cert)
-  cert_file_path = ENV.fetch("GEM_CERT_PATH", default_user_cert_path)
+  user_cert = "certs/#{ENV.fetch("GEM_CERT_USER", ENV["USER"])}.pem"
+  cert_file_path = File.join(__dir__, user_cert)
   cert_chain = cert_file_path.split(",")
-  if cert_file_path && cert_chain.map { |fp| File.exist?(fp) }
+  cert_chain.select! { |fp| File.exist?(fp) }
+  if cert_file_path && cert_chain.any?
     spec.cert_chain = cert_chain
-    if $PROGRAM_NAME.end_with?("gem", "rake") && ARGV[0] == "build"
-      spec.signing_key = File.expand_path("~/.ssh/gem-private_key.pem")
+    if $PROGRAM_NAME.end_with?("gem") && ARGV[0] == "build" && !ENV.include?("SKIP_GEM_SIGNING")
+      spec.signing_key = File.join(Gem.user_home, ".ssh", "gem-private_key.pem")
     end
   end
 
