That’s been well supported for years. It’s also possible to set a security policy so only signed gems are allowed. But signatures are worthless without a way to safely trust them and that is a more difficult problem since it’s not purely technical.

Vendoring all gems, manually verifying diffs on upgrade, and manually verifying signatures where possible is still the best practice here.