When we start officially distributing precompiled libraries for Linux (see #1983), I worry a bit about how people will know to trust those binary files in their production environments. I would like to think about how we might improve the trust situation.

One option is to cryptographically sign the released gem file, as described in the Rubygems Security Guide. This seems reasonable to me, but I've opened this issue to ask for other folks' opinions and check if there are other ideas on how to prove that the gem being installed was created by a trusted Nokogiri core maintainer.