Skip to content

Installation

Jump to bottom
Jeff Felchner edited this page Apr 24, 2016 · 4 revisions

First:

gem install ruby-progressbar

Then in your script:

require 'ruby-progressbar'

or in your Gemfile

gem 'ruby-progressbar'

or from IRB

irb -r 'ruby-progressbar'

Gem Signing

Recently there was a vulnerability found in Rubygems which could have allowed gems with dashes in their names (like this one) to be replaced on a server without anyone knowing. Because ruby-progressbar is a very popular library, I decided to take the time to make sure that, should my users choose, they would never have to worry about that for my gems.

From 1.8.0 forward, I'll begin cryptographically signing each of my releases with my private key. My public key will be available on the repo for anyone to access at any time.

There are only two steps required for you to securely install this gem:

  • Add my public key as a trusted certificate
gem cert --add <(curl -Ls https://raw.github.com/jfelchner/ruby-progressbar/master/certs/jfelchner.pem)
  • Install the gem by telling Rubygems to verify the signature
gem install ruby-progressbar -P HighSecurity

The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. Because ruby-progressbar has no dependencies, you can install it with HighSecurity.

Checksums

In addition to signing each release, I'll commit the checksums for each release to the repo and they too will be publicly available.

A simple curl command is all that's required to get the verifiable checksum for any release:

curl --silent https://raw.githubusercontent.com/jfelchner/ruby-progressbar/master/checksum/ruby-progressbar-1.8.0.gem.sha256

=> 78020988fc8603843747e316edb8fc50481c6842583eab5749e29fbbc9660f54

Simply replace the version number with the version you'd like to verify and the extension with the algorithm you'd like to verify against.

Available Algorithms

  • SHA512 - .sha512
  • SHA256 - .sha256
  • MD5 - .md5

Commit Signing

Of course the checksums only work if it was actually I who added them to the repo, so if you want to be 100% sure that the commit that added the checksums was done by me, all you have to do is look for the "Verified" tag next to the commit. I sign every one of my commits with my GPG key, including those that add checksums to the repo.

Verified Commits

The Kompanee

  1. History
    1. progressbar vs
      ruby-progressbar
  2. Supported Rubies
  3. Installation
    1. Gem Signing
    2. Checksums
  4. The Basics
    1. Creation
    2. Marking Progress
  5. In-Depth
    1. Options
    2. Changing Progress
    3. Stopping
    4. Finishing
    5. Refreshing
    6. Unknown Progress
    7. Logging
    8. Enumerable Extension
    9. Formatting
      1. Examples
      2. Overriding the Length
      3. Realtime Customization
      4. Rate Scaling
      5. Colorizing
      6. Output as Hash
  6. In The Weeds
    1. Projectors
    2. Time Mocking Support
    3. Throttling
    4. Custom Unknown Progress Animations
    5. Non-TTY Output
    6. Custom Output Classes
      1. Null Output Class
Clone this wiki locally