As I said, it's as good as no code signing. The very lack of a chain of trust stemming from rubygems that can be used to verify gem authenticity makes the whole thing useless.