In case I missed it does the brakeman project cryptographically sign or otherwise provide verification information for releases currently?
If not, would the brakeman team consider signing their releases in some fashion? Without trying to tackle the larger gem signing issues in the Ruby community a few approaches I have seen in the wild include: * Signing the gem with the current "gem cert" family of commands and publishing the key with the repo or on a site/blog related to the project * Including a GPG signed release announcement with gem hashes like they do with Rack releases: https://groups.google.com/d/msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ * Providing hashes of updated gems on the gem's main site like they do with Rails releases: http://weblog.rubyonrails.org/2013/10/17/Rails-4-0-1-rc1-has-been-released/ Obviously each approach has some set of weaknesses associated with it but I would certainly find it useful to apply another sanity check when pulling down an updated version of brakeman.