For full_name, verifies the certificate chain is valid,
the digests match the signatures signatures created by
the signer depending on the policy settings.
If key is given it is used to validate the signing certificate.
# File lib/rubygems/security/policy.rb, line 211
def verify chain, key = nil, digests = {}, signatures = {},
full_name = '(unknown)'
if signatures.empty? then
if @only_signed then
raise Gem::Security::Exception,
"unsigned gems are not allowed by the #{name} policy"
elsif digests.empty? then
# lack of signatures is irrelevant if there is nothing to check
# against
else
alert_warning "#{full_name} is not signed"
return
end
end
opt = @opt
digester = Gem::Security::DIGEST_ALGORITHM
trust_dir = opt[:trust_dir]
time = Time.now
_, signer_digests = digests.find do |algorithm, file_digests|
file_digests.values.first.name == Gem::Security::DIGEST_NAME
end
if @verify_data then
raise Gem::Security::Exception, 'no digests provided (probable bug)' if
signer_digests.nil? or signer_digests.empty?
else
signer_digests = {}
end
signer = chain.last
check_key signer, key if key
check_cert signer, nil, time if @verify_signer
check_chain chain, time if @verify_chain
check_root chain, time if @verify_root
if @only_trusted then
check_trust chain, digester, trust_dir
elsif signatures.empty? and digests.empty? then
# trust is irrelevant if there's no signatures to verify
else
alert_warning "#{subject signer} is not trusted for #{full_name}"
end
signatures.each do |file, _|
digest = signer_digests[file]
raise Gem::Security::Exception, "missing digest for #{file}" unless
digest
end
signer_digests.each do |file, digest|
signature = signatures[file]
raise Gem::Security::Exception, "missing signature for #{file}" unless
signature
check_data signer.public_key, digester, signature, digest if @verify_data
end
true
end