RubyGems Navigation menu

How to opt-in for MFA requirement.

You can make your gems more secure by requiring all owners to enable MFA on their account.

Opt-in to MFA requirement

You can opt-in a gem you are managing by releasing a version that has metadata.rubygems_mfa_required set to true.

% cat hola.gemspec do |s|
s.metadata       = { "rubygems_mfa_required" => "true" }

The version being released with rubygems_mfa_required set and all the following versions will require you to have MFA enabled. Once enabled, the gem page will show NEW VERSIONS REQUIRE MFA in the sidebar, and all versions published with rubygems_mfa_required set will also show VERSION PUBLISHED WITH MFA: MFA status indicators

You will see the following error message if you have not enabled MFA and you are trying to release a new version for a gem that requires MFA:

$ gem push hola-1.0.0.gem
Pushing gem to
Rubygem requires owners to enable MFA. You must enable MFA before pushing new version.

Disabling MFA requirement

You can disable the MFA requirement by setting rubygems_mfa_required to "false" or any ActiveRecord::Type::Boolean::FALSE_VALUES.

Note: We will enforce the MFA requirement on the version being published. MFA requirement will be disabled after you have successfully published a gem with rubygems_mfa_required set to false.