RubyGems Navigation menu

How to opt-in for MFA requirement.

You can make your gems more secure by requiring that all privileged operations by any of the owners require OTP.

Opt-in to MFA requirement

You can opt-in a gem you are managing by releasing a version that has metadata.rubygems_mfa_required set to true.

% cat hola.gemspec do |s|
s.metadata       = { "rubygems_mfa_required" => "true" }

The version being released with rubygems_mfa_required set and all the following version will require that you provide an OTP for all privileged operations. Once enabled, the gem page will show NEW VERSIONS REQUIRE MFA in the sidebar, and all versions published with rubygems_mfa_required set will also show VERSION PUBLISHED WITH MFA: MFA status indicators

You will see the following error message if you have not enabled MFA and you are trying to release a new version for a gem that requires MFA:

$ gem push hola-1.0.0.gem
Pushing gem to
Rubygem requires owners to enable MFA. You must enable MFA before pushing new version.

privileged operations

Following operations will require OTP verification if you have MFA requirement set on the gem.

  • gem push
  • gem yank
  • gem owner --add/remove
  • adding or removing owners using gem ownership page

Disabling MFA requirement

You can disable the MFA requirement by setting rubygems_mfa_required to "false" or any ActiveRecord::Type::Boolean::FALSE_VALUES.

Note: We will enforce the MFA requirement on the version being published. MFA requirement will be disabled after you have successfully published a gem with rubygems_mfa_required set to false.