Skip to content

Lock the checksum of Bundler itself in the lockfile#9366

Merged
Edouard-chin merged 1 commit intoruby:masterfrom
Shopify:ec-bundler-checksum
Mar 18, 2026
Merged

Lock the checksum of Bundler itself in the lockfile#9366
Edouard-chin merged 1 commit intoruby:masterfrom
Shopify:ec-bundler-checksum

Conversation

@Edouard-chin
Copy link
Collaborator

@Edouard-chin Edouard-chin commented Mar 5, 2026
edited
Loading

What was the end-user or developer problem that led to this PR?

I'd like to be able to lock the checksum of the bundler gem itself. I find strange that all gems get their checksum locked, but bundler itself (which is the only gem that every application will need to install due to the auto-switch feature) isn't getting locked.
I think this is a security vulnerability and I'd like to fix this.

With this patch, the lockfile will look like this:

GEM
  remote: https://rubygems.org/
  specs:
    warning (1.5.0)

PLATFORMS
  arm64-darwin-25
  ruby

DEPENDENCIES
  warning

CHECKSUMS
  bundler (9.9.9) sha256=fe2e521b3e2897f24b59cdc682b10ffb2a43677c183fc619911716aa3f203237 <----- This is new
  warning (1.5.0) sha256=0f12c49fea0c06757778eefdcc7771e4fd99308901e3d55c504d87afdd718c53

BUNDLED WITH
  9.9.9

What is your fix for the problem, implemented in this PR?

Details

I'd like to introduce this change into two separate changes for easier reviews. The first (this commit) only produce the checksum in the lockfile, nothings consumes it or verify it yet.

The second patch will make sure that whenever the Bundler auto-install kicks in, Bundler will verify that the locked checksum matches the Bundler version being downloaded and installed.

Though, please let me know if you'd prefer me doing the whole thing in just one PR.

Solution

Overall the solution here is similar to how checksums are already generated for other gems. However, the bundler gem comes from a different source (the Bundler::Source::Metadata) and so it needs to be handled slightly differently.

A big part ot the change is test related. Instead of having to modify all tests that assert the state of the lockfile (which will be broken now, since the lockfile includes the Bundler checksum), I opted to automatically include the checksum whenever the helper metod checksums_section is called.

I'll add a few comments on the code directly for parts that may not be obvious.

Make sure the following tasks are checked

@Edouard-chin Edouard-chin changed the title Lock the checksum of Bundler itself in the lockfile: Lock the checksum of Bundler itself in the lockfile Mar 5, 2026
Edouard-chin
Edouard-chin commented Mar 5, 2026
View reviewed changes
Edouard-chin
Edouard-chin commented Mar 5, 2026
View reviewed changes
@Edouard-chin Edouard-chin force-pushed the ec-bundler-checksum branch 2 times, most recently from caff796 to 5fa57c3 Compare March 17, 2026 18:59
@Edouard-chin
Lock the checksum of Bundler itself in the lockfile:
9ce52a2 
- ### Problem

  With the Bundler autoswitch feature, system Bundler may install
  a `bundler.gem` that matches the Gemfile.lock.
  The `bundler.gem` that gets downloaded is like any other gems,
  but its treated differently (it doesn't appear in the Gemfile specs
  and we also don't lock its checksum).

  If for any reason Bundler itself gets compromised, it's a security
  concern.

  ### Details

  I'd like to introduce this change into two separate changes for
  easier reviews.
  The first (this commit) only produce the checksum in the lockfile,
  nothings consumes it or verify it yet.

  The second patch will make sure that whenever the Bundler
  auto-install kicks in, Bundler will verify that the locked checksum
  matches the Bundler version being downloaded and installed.

  ### Solution

  Overall the solution here is similar to how checksums are already
  generated for other gems. However, the `bundler` gem comes from a
  different source (the `Bundler::Source::Metadata`) and so it needs
  to be handled slightly differently.

  A big part ot the change is test related. Instead of having to
  modify all tests that assert the state of the lockfile (which
  will be broken now, since the lockfile includes the Bundler
  checksum), I opted to automatically include the checksum whenever
  the helper metod `checksums_section` is called.
hsbt
hsbt approved these changes Mar 18, 2026
View reviewed changes
Copy link
Member

@hsbt hsbt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Edouard-chin Edouard-chin merged commit 44f4b15 into ruby:master Mar 18, 2026
95 checks passed
@Edouard-chin Edouard-chin deleted the ec-bundler-checksum branch March 18, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hsbt hsbt hsbt approved these changes

+1 more reviewer

@simi simi simi left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bundler: enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Edouard-chin @hsbt @simi